Cybersecurity researchers from Certego and Check Point have uncovered malicious code embedded within at least 19 Visual Studio Code (VS Code) extensions. This discovery highlights a significant supply chain risk for developers who rely on these widely used programming tools.

Nature of the Malicious Extensions

The identified malicious extensions were designed to perform various harmful actions. These actions include credential harvesting, remote code execution, and infostealing malware. Such capabilities allow attackers to compromise developer machines, steal sensitive data, and potentially inject further malicious code into projects.

Implications for Developers and Supply Chain Security

The presence of malware in VS Code extensions poses a direct threat to the development ecosystem. Developers who install these compromised extensions unwittingly expose their systems and projects to sophisticated attacks. This incident underscores the importance of stringent security vetting for development tools and emphasizes the need for continuous vigilance in securing the software supply chain.

Source: https://www.infosecurity-magazine.com/news/malware-discovered-in-19-vs-code/