Researchers Find Malicious Vs Code, Go, Npm, And Rust Packages...
Cybersecurity researchers have discovered two new extensions on Microsoft Visual Studio Code (VS Code) Marketplace that are designed to infect developer machines with stealer malware.
The VS Code extensions masquerade as a premium dark theme and an artificial intelligence (AI)-powered coding assistant, but, in actuality, harbor covert functionality to download additional payloads, take screenshots, and siphon data. The captured information is then sent to an attacker-controlled server.
"Your code. Your emails. Your Slack DMs. Whatever's on your screen, they're seeing it too," Koi Security's Idan Dardikman said. "And that's just the start. It also steals your WiFi passwords, reads your clipboard, and hijacks your browser sessions."
Microsoft's list of removed extensions from the Marketplace shows that the company also removed a third package named "BigBlack.mrbigblacktheme" from the same publisher for containing malware.
While "BigBlack.bitcoin-black" activates on every VS Code action, Codo AI embeds its malicious functionality within a working tool, thereby allowing it to bypass detection.
Earlier versions of the extensions came with the ability to execute a PowerShell script to download a password-protected ZIP archive from an external server ("syn1112223334445556667778889990[.]org") and extract from it the main payload using four different methods: Windows native Expand-Archive, .NET System.IO.Compression, DotNetZip, and 7-Zip (if installed).
That said, the attacker is said to have inadvertently shipped a version that created a visible PowerShell window and could have alerted the user. Subsequent iterations, however, have been found to hide the window and streamline the entire process by switching to a batch script that uses a curl command to download the executable and DLL.
"A developer could install what looks like a harmless theme or a useful AI tool, and within seconds their WiFi passwords, clipboard contents, and browser sessions are being exfiltrated to a remote server," Dardikman said.
The disclosure comes as Socket said it identified malicious packages across the Go, npm, and Rust ecosystems that are capable of harvesting sensitive data -
"Finch-rust acts as a malware loader; it contains mostly legitimate code copied from the legitimate finch package but includes a single malicious line that loads and executes the sha-rust payload," Socket researcher Kush Pandya said. "This separation of concerns makes detection harder: finch-rust looks
Source: The Hacker News
