Vulnerability in Open VSX Allows Malicious VS Code Extensions to Evade Security Checks

A recently discovered bug in Open VSX has raised concerns about the security of Microsoft Visual Studio Code (VS Code) extensions. According to cybersecurity researchers, the bug affected the pre-publish scanning pipeline, allowing malicious extensions to bypass security checks and become available in the registry. This vulnerability was caused by a single boolean return value that had a dual meaning, indicating both the absence of configured scanners and the failure of all scanners to run.

The implications of this bug are significant, as it potentially enables attackers to upload malicious extensions to the VS Code marketplace without being detected. Fortunately, the bug has been patched, and the pre-publish scanning pipeline has been improved to prevent similar vulnerabilities in the future. The discovery of this bug highlights the importance of robust security measures in the development and deployment of software extensions, particularly those used by popular platforms like VS Code.

Press ESC to close

Share Article:

Tarang Parmar

Malicious Telnyx Packages on PyPI: A New Supply Chain Attack by TeamPCP

Russian State-Sponsored Hackers TA446 Leverage DarkSword iOS Exploit Kit in Spear-Phishing Attacks