Malicious VS Code Extension and NPM Packages Target Developers

Why this matters: These incidents demonstrate the growing sophistication of supply chain attacks targeting developers. Compromised extensions and packages can lead to significant data breaches and system compromises, affecting both individual developers and larger organizations.

VS Code Extension with Ransomware

A researcher discovered a VS Code extension ('susvsex') that openly advertised its malicious intent. The extension was designed to zip, upload, and encrypt files from specific directories on Windows and macOS systems upon installation or launch. It also used a private GitHub repository for command-and-control (C2) operations. The developer inadvertently included decryption tools and C2 server code, making it easier to analyze and potentially counter the threat.

Trojanized NPM Packages

Datadog Security Labs identified 17 NPM packages designed to execute the Vidar Stealer on infected systems. The attack chain involves a post-install script that downloads a ZIP archive from an external server and executes the Vidar executable. Some variants used PowerShell scripts to download the ZIP archive, followed by a JavaScript file to complete the attack. This discovery highlights the need for developers to scrutinize package contents and post-install scripts carefully.

How to Prepare

Who This Affects Most

Software developers, DevOps engineers, and organizations that rely on open-source components are most vulnerable to these types of attacks. The impact can range from data theft and system compromise to supply chain contamination, affecting downstream users of the compromised software.

A supply chain attack targets vulnerabilities in the software development and distribution process to compromise systems or data.

Verify package integrity, review changelogs, use package scanners, and limit permissions in your development environment.

Supply chain attacks are becoming increasingly common and sophisticated. Developers should exercise caution when installing third-party extensions and packages, and organizations should implement robust security measures to detect and prevent these attacks. Key actions include verifying package integrity, reviewing changelogs, and using automated package scanners.

Do you think the software development community is doing enough to combat supply chain attacks? Share your thoughts in the comments below!

Share this article with others who need to stay ahead of this trend!