Fake news headline. There is no virus installed on millions of computer.
An extension typosquatting an extension with million of install managed to be installed a few hundred of times.I believe they’re referring to lower down in the article, where the researchers analyzed existing extensions on the marketplace:
After the successful experiment, the researchers decided to dive into the threat landscape of the VSCode Marketplace, using a custom tool they developed named ‘ExtensionTotal’ to find high-risk extensions, unpack them, and scrutinize suspicious code snippets.
Through this process, they have found the following:
- 1,283 with known malicious code (229 million installs).
- 8,161 communicating with hardcoded IP addresses.
- 1,452 running unknown executables.
- 2,304 that are using another publisher’s Github repo, indicating they are a copycat.
If you look at the code of one of the “malicious code”, it hit a … local IP, not a remote one.
Does that mean the hacker is in my room??
What makes this even more sneaky is that JetBrains has a theme called “Darcula”.
So, with a wider generic theme called Dracula and themes that duplicate JetBrains Darcula theme, it is no surprise that “Darcula Official” is being installed.
It’s more than just a typosquatEdit:
But why can a theme make web requests?!But why can a theme make web requests?!
Because we live in a broken world and nothing matters.
On a more serious note, it’s a pretty horrifying misfeature. What’s even more worrying is that by all appearances Microsoft doesn’t give a shit, if they apparently didn’t even bother removing the malicious extensions that were reported. Not that I’m surprised, but still.
But why can a theme make web requests?!
Why can a Word or Excel file execute shell code? Why does M$ SQL Server have xp_cmdshell?
Because we live in a broken world and nothing matters.
Because devs chose to live in this part of the world, dictated by M$ and other large companies, who just don’t care.