In the last few years, there has been a dramatic rise (1300%) in supply chain attacks across multiple public repositories. ReversingLabs’ researchers have been monitoring them daily to detect malicious packages. After packages are detected, the team notifies administrators for these public repositories, and encourages them to take the offending packages down if they are still up. With these threat hunting efforts, the RL research team is trying to raise awareness of the threat posed to software producers and their customers when malicious packages are added to the development cycle.
Up until recently, malicious actors were mostly active in two public repositories: npm and PyPI. ReversingLabs has discovered several malicious campaigns in those repositories in recent months. In January, I wrote about malicious npm packages that leverage GitHub to store stolen Base64-encrypted SSH keys. And in February, RL researcher Petar Kirhmajer wrote about malicious PyPI packages that were observed using sideloading to execute code.
As we have expanded our monitoring efforts to include other popular, public repositories such as RubyGems and most notably NuGet, we have come across malicious campaigns affecting users of those package managers as well. RL threat researcher Karlo Zanki wrote in October 2023 about the newest malicious NuGet packages where malicious functionality is placed inside the <packageID>.targets file in the “build'' directory. More recently, one of our researchers discovered another suspicious NuGet package, SqzrFramework480, that may be targeting developers working with technology made by a China-based firm that does industrial- and digital equipment manufacturing.
In the last couple of months, our attention expanded to include the Visual Studio Code Marketplace (or VS Code Marketplace). VS Code Marketplace is a popular, online platform where developers publish, share, and install extensions that enhance Microsoft’s Visual Studio Code (VS Code) open-source code editor. Historically, VS Code Marketplace hasn’t been a popular destination for malicious actors interested in pushing malicious wares via open source packages - at least based on our observations. There have only been a few research blogs that exposed malicious VS Code extensions, the majority of which were published in the first half of 2023 year.
The ReversingLabs research team decided to dig into the VS Code Marketplace and see if threats might be lurking there. In the process, the team discovered detected multiple, malicious extensions engineered to steal data and linked to the same author: VSAnalysistest. These extensions — named clipboard-helper-vscode, code-ai-assistant; codegpt-helper, and mycodegpt-assistant — were removed from VS Marketplace at the time this research took place.
While these extensions were not very complicated, the RL research team believed it was worth documenting what we discovered so that organizations that rely on the VS Code Marketplace are informed about the presence of supply chain threats on that platform. Here's what we found — and steps development organizations can take to identify VS Code Marketplace threats.
The post Malicious helpers: VS Code Extensions observed stealing sensitive information appeared first on Security Boulevard.
Lucija Valentić
Source: Security Boulevard
Source Link: https://securityboulevard.com/2024/04/malicious-helpers-vs-code-extensions-observed-stealing-sensitive-information/