1. Forum
  2. tqwNet
  3. TQW GENTECH

  • Developers targeted by malicious Microsoft VSCode extensions

    From TechnologyDaily@1337:1/100 to All on Thursday, December 19, 2024 11:30:05
    Developers targeted by malicious Microsoft VSCode extensions

    Date:
    Thu, 19 Dec 2024 11:26:10 +0000

    Description:
    Researchers spot more than a dozen extensions on the repository deploying malware.

    FULL STORY ======================================================================Reversin g Labs and Assaraf discover campaign targeting software and web3 devs
    Multiple packages were hiding weaponized code that deploys stage-two malware The malicious intent was very difficult to spot

    Software developers, especially those working on web3 and cryptocurrency projects, are being targeted in a brand new software supply chain attack, experts have claimed.

    Security researcher Amit Assaraf published a new blog post outlining how he had observed dozens of malicious Visual Studio Code extensions on the VSCode marketplace designed to download well-hidden second-stage payloads from shady domains (some in Russia).

    A similar report was recently published by cybersecurity researchers
    Reversing Labs, who said that the campaign most likely started in October 2024. Heavily obfuscated files

    "Throughout October 2024, the RL research team saw a new wave of malicious VSCode extensions containing downloader functionality all part of the same campaign," the researchers said. "The community was first notified of this campaign taking place in early October, and since then, the team has been steadfast in tracking it."

    The packages are designed for tools like Zoom, Solidity (a programming language for smart contracts on Ethereum, among others), and more. Similar packages were found on NPM, as well.

    While both Reversing Labs and Assaraf did not analyze the second-stage payload, BleepingComputer says it is a heavily obfuscated Windows CMD file that launches a hidden PowerShell command. Its goal is to decrypt AES-encrypted strings in additional CMD files, to drop further payloads, including malware that gets flagged by just 27 out of 71 antivirus engines.

    While the number of compromised endpoints is difficult to determine, Assaraf says its most likely in the thousands. He added that the attack was very difficult to spot, since the packages check all the right boxes:

    Looking closely, you can see it has several great indicators for it being real, the high number of installs, the official Zoom Github repo, the
    positive reviews. Going into the publisher page we continue to get positive reinforcements, he said. The domain name looks great, it has the official support email, it has all the official socials, everything checks out.

    The only thing developers can do is exert care when downloading software packages. Dont trust - verify is the usual mantra, especially within the cryptocurrency community.

    Via BleepingComputer You might also like Hundreds of malware-laden fake npm packages posted online to try and trick developers Here's a list of the best antivirus These are the best endpoint protection tools right now



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/developers-targeted-by-malicious-micros oft-vscode-extensions


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)