A recent investigation by security researchers has revealed a troubling surge in malicious campaigns exploiting popular development tools, including VSCode extensions and npm packages.
These campaigns compromise local development environments and pose risks to broader software supply chains.
From VSCode Marketplace to npm
Initially detected by ReversingLabs in the VSCode Marketplace, the campaign expanded to the npm ecosystem in late 2024.
One example of the latest malicious npm packages is etherscancontracthandler, with five versions identified. Three of these included obfuscated payloads designed to download additional malicious components. The similarities between the npm package and compromised VSCode extensions suggest the same threat actor or group created them.
These campaigns initially targeted the cryptocurrency community. However, by late October 2024, they broadened their focus, impersonating widely used applications like Zoom. Threat actors employed sophisticated tactics, including inflated install counts and fabricated reviews, to make the malicious extensions appear credible.
The investigation also uncovered common endpoints shared by the malicious VSCode extensions and npm packages. Some domains, such as “microsoft-visualstudiocode[.]com,” mimicked trusted sources to deceive users. Obfuscated JavaScript was used extensively to evade detection.
Securing Development Tools and Practices
This campaign underscores the need for vigilance in using development tools and third-party libraries. ReversingLabs recommends several best practices to mitigate risks:
-
Audit plugins and dependencies regularly for vulnerabilities
-
Validate and pre-approve development tools and their extensions before use
-
Conduct frequent security assessments to identify new risks introduced by updates or third-party libraries
Read more on securing the software supply chain: CISA Urges Improvements in US Software Supply Chain Transparency
“When using packages from public repositories, developers should keep an eye peeled for possible inclusion of a malicious code to avoid a malicious package being introduced as a dependency in some larger project,” ReversingLabs warned.
“Development organizations should also scrutinize the features and behaviors of the open source, third-party and commercial code they are relying on, to track dependencies and detect potential malicious payloads in them.”