A newly discovered security flaw in integrated development environments (IDEs) like Visual Studio Code allows malicious extensions to bypass verified status checks, enabling attackers to execute arbitrary code on developers’ machines. This vulnerability stems from weaknesses in the extension verification process, where attackers can create rogue extensions that appear verified while containing harmful functionality.
How the Flaw Works
Attackers craft malicious extensions with identical verifiable values (e.g., publisher IDs) as legitimate, verified extensions. This tricks IDEs into displaying a “verified” badge, creating a false sense of trust. Once installed, these extensions can run operating system commands, steal authentication tokens, or open reverse shells to attackers’ servers. The exploit relies on distributing extensions outside official marketplaces (e.g., via phishing or compromised repositories), bypassing marketplace security checks.
Broader Security Implications
VS Code extensions lack a permission model, allowing any extension—even seemingly benign ones like themes—to execute system commands, access files, or spawn processes without user consent. And since extensions auto-update in the background, attackers can compromise legitimate extensions later and inject malicious code. Marketplace Vulnerabilities: Official marketplaces like the VS Code Marketplace and Open VSX Registry have design flaws
Impact and Mitigation
Researchers found 1,283 extensions with known malicious code (229 million installs) and thousands more with high-risk behaviors. To mitigate, enable VS Code’s Restricted Mode to limit extension functionality in untrusted folders and avoid sideloaded extensions; download only from official sources.
