Developers using Microsoft's Visual Studio Code (VSCode) editor are being warned to delete or avoid 10 newly published extensions that secretly install a cryptominer, putting their systems and data at risk. The malicious extensions, which masquerade as popular development tools, have been available on the Visual Studio Code Marketplace since April 4 and may have been downloaded by as many as 1 million users, according to researchers at Extension Total.

The extensions, which appear to offer legitimate functionality, download and execute a PowerShell loader that establishes persistence, disables security services, and deploys the XMRig cryptominer from a remote command and control (C2) server. This type of attack is a classic example of a third-party supply chain attack, which can have devastating consequences if left unchecked.

Robert Beggs, CEO of DigitalDefence, a Canadian incident response firm, noted that the attack is not sophisticated, but it can still be effective due to developers' tendency to disable security controls and ignore warnings. "Developers are famous for disabling security controls" and focusing on ensuring their application works as expected, Beggs said. This highlights the need for multiple layers of defense on a developer's computer, including Microsoft Defender, which should issue warnings about changes to the Windows Registry or security defenses being disabled.

To mitigate the risk of such attacks, Beggs recommends that CISOs and CIOs ensure that app developers work on a separate network from the production network. This can help prevent the spread of malware and minimize the attack surface.

The 10 malicious extensions, which are published under different author names, share identical code and communicate with the same C2 server to download and execute the same payload. The extensions include Prettier – Code for VSCode, Discord Rich Presence for VS Code, Rojo – Roblox Studio Sync, and others. Researchers at Extension Total noted that one red flag is that the publishers didn't verify their listed domain ownership, which is a good practice to ensure the publisher is who they claim to be.

The malicious extensions use a clever tactic to evade detection, attempting to install the legitimate extension after downloading the malicious payload. This makes it difficult for users to initially detect the malicious activity. The PowerShell script tries to run the malicious payload with administrator permissions, and if it doesn't have the necessary permissions, it creates another System32 directory and copies the ComputerDefaults.exe file to it.

The script then creates a malicious DLL named MLANG.dll and tries to execute it using the ComputerDefaults executable. The PowerShell script contains the DLLs and the Trojan executable as basic base64 encoded strings, which it decodes and writes to the directory it created, excluding it from monitoring by Windows Defender.

The Launcher.exe communicates with another C2 server, myaunet[.]su, downloading and executing the XMRig tool, used for mining Monero. This highlights the need for developers to be vigilant and take proactive measures to protect their systems and data from such attacks.

The incident serves as a reminder of the importance of robust security measures, including verifying publisher domain ownership, using multiple layers of defense, and separating development networks from production networks. Developers must remain cautious when downloading extensions and tools, and organizations must prioritize security to prevent such attacks from succeeding.