{"id":6439,"date":"2024-06-18T16:43:28","date_gmt":"2024-06-18T19:43:28","guid":{"rendered":"https:\/\/base4sec.com\/sin-categorizar\/vs-code-extension-attack\/2024\/06\/18\/"},"modified":"2024-06-18T16:43:28","modified_gmt":"2024-06-18T19:43:28","slug":"vs-code-extension-attack","status":"publish","type":"post","link":"https:\/\/base4sec.com\/en\/technical-en\/vs-code-extension-attack\/2024\/06\/18\/","title":{"rendered":"VS Code Extension Attack"},"content":{"rendered":"<p class=\"cuerpo-nota\">In the world of computer security,\u00a0<b>Visual Studio Code (VS Code)<\/b>\u00a0extensions have emerged as a new attack vector for cybercriminals.\u00a0<b>Visual Studio Code<\/b>, published by\u00a0<b>Microsoft<\/b>, is a source code editor used by many professional developers around the world.\u00a0<b>Microsoft<\/b>\u00a0also operates an extension marketplace for the\u00a0<b>IDE<\/b>, called the\u00a0<b>Visual Studio Code Marketplace<\/b>, offers add-ons that extend application functionality and provide more customization options.<\/p>\n<p>There are numerous reports indicating breaches in\u00a0<b>VS Code<\/b>\u00a0security, allowing extension spoofing, as well as extensions stealing authentication tokens from developers. Recent research by an Israeli group reveals alarming numbers, where a custom tool called &#8216;ExtensionTotal&#8217; was developed to find high-risk extensions, unpack them and examine suspicious code snippets.<\/p>\n<p>Through this process, they found the following:<\/p>\n<p>\u2022\u00a01,283 extensions with known malicious code\u00a0<b>(229 million installations)<\/b>.<\/p>\n<p>\u2022\u00a08,161 extensions communicating with\u00a0<b>encrypted IP addresses<\/b>.<\/p>\n<p>\u2022\u00a01,452 extensions\u00a0<b>using another publisher&#8217;s GitHub repository, indicating that they are knockoffs<\/b>.<\/p>\n<p>\u2022\u00a02,304 extensiones que\u00a0<b>utilizan el repositorio de GitHub de otro editor, lo que indica que son imitaciones<\/b>.<\/p>\n<p>This article aims to replicate the\u00a0<b>development of a malicious extension<\/b>\u00a0to understand the associated risks, warn about its potential impact, and demonstrate an example of the techniques used to gain access and gain persistence through these extensions. We will explore how to set up a secure environment, develop the malicious extension, and finally, ensure post-exploitation persistence.<\/p>\n<p><span class=\"subtitulo-nota\">Prerequisites<\/span><\/p>\n<p>To develop a malicious extension in\u00a0<b>VS Code<\/b>\u00a0we need to set up a suitable development environment. It should have the following elements:<\/p>\n<p>\u2022\u00a0<b>Node.js<\/b><br \/>\n\u2022\u00a0<b>Visual Studio Code<\/b><br \/>\n\u2022\u00a0<b>Git<\/b><br \/>\n\u2022\u00a0<b>Visual Studio Code Extension Generator<\/b><\/p>\n<p>Once these steps are completed, you will have a development environment set up and ready to start developing the extension.<\/p>\n<p><span class=\"subtitulo-nota\">Developing the malicious extension<\/span><\/p>\n<p>With the development environment set up, the next step is to develop the malicious extension. All the code for our extension will be in the\u00a0<b>extension.ts<\/b>\u00a0file, which contains the code base generated by the\u00a0<b>VS Code<\/b>\u00a0extension creation wizard. Initially, this file includes a simple example that displays a\u00a0<b>&#8220;Hello World from color-picker!&#8221;<\/b>\u00a0message when the helloWorld command is invoked.<\/p>\n<p><center><img decoding=\"async\" src=\"http:\/\/localhost\/assets\/images\/blog\/nota_97a.jpeg\" \/><\/center>&nbsp;<\/p>\n<p class=\"cuerpo-nota\">To transform this extension into a malicious tool, we will make some key modifications. The idea is to execute a reverse shell when the user invokes a specific command within VS Code. This is achieved by modifying two main files:\u00a0<b>package.json<\/b>\u00a0and\u00a0<b>extension.ts<\/b>.<\/p>\n<p>In\u00a0<b>package.json<\/b>, we will configure a command that behaves like a legitimate extension, similar to a tool commonly used by developers and designers, such as a\u00a0<b>&#8220;color-picker&#8221;<\/b>. This configuration will allow us to execute our malicious code without arousing suspicion.<\/p>\n<p><center><img decoding=\"async\" src=\"http:\/\/localhost\/assets\/images\/blog\/nota_97b.jpeg\" \/><\/center>&nbsp;<\/p>\n<p class=\"cuerpo-nota\">Then, in extension.ts, we will add the necessary code to execute a reverse shell. This code will be executed when the malicious command is invoked. To test that everything works correctly, we will use the VS Code debugging tools, which allow us to run and test the extension directly from the development environment.<\/p>\n<p><center><img decoding=\"async\" src=\"http:\/\/localhost\/assets\/images\/blog\/nota_97c.jpeg\" \/><\/center>&nbsp;<\/p>\n<p class=\"cuerpo-nota\">Before implementing the malicious code, it is essential to make sure that the basic configuration of the extension works correctly. To do this, we will first test the extension with the code base provided by the wizard. This verification step is crucial because we make sure that the basics are working, otherwise we might encounter problems later on and incorrectly assume that the failure is due to the added code, when in fact it could be a problem with the initial configuration.<\/p>\n<p>To perform this verification, we must run the extension with the small modifications applied. This is done from the\u00a0<b>VS Code<\/b>\u00a0development environment using the built-in debugging tools. We will go to the &#8220;Run&#8221; menu option and select\u00a0<b>&#8220;Start Debugging&#8221;<\/b>. This process will open a new instance of\u00a0<b>VS Code\u00a0<\/b>where we can test the extension.<\/p>\n<p><center><img decoding=\"async\" src=\"http:\/\/localhost\/assets\/images\/blog\/nota_97d.jpeg\" \/><\/center>&nbsp;<\/p>\n<p class=\"cuerpo-nota\">In this new instance, we will press the keyboard shortcut\u00a0<b>ctrl+shift+p<\/b>\u00a0to open the command palette and select our extension command. If everything works correctly, we should see the message\u00a0<b>&#8220;Hello World!&#8221;<\/b>\u00a0displayed in the\u00a0<b>VS Code<\/b>. interface. This step confirms that the basic configuration is operational and provides a checkpoint before entering the malicious code.<\/p>\n<p>Once we have verified that the basic configuration works, we can proceed to enter the reverse shell code in\u00a0<b>extension.ts<\/b>\u00a0and modify the default command. This code will take care of establishing a remote connection to our attacking system every time the malicious command is executed.<\/p>\n<p><center><img decoding=\"async\" src=\"http:\/\/localhost\/assets\/images\/blog\/nota_97e.jpeg\" \/><\/center>&nbsp;<\/p>\n<p class=\"cuerpo-nota\">Finally, to ensure that the remote connection is successful, we will listen to our remote system (in this case, a machine with\u00a0<b>Kali Linux<\/b>) and run the extension from the victim machine (<b>Windows 11<\/b>). The IP of the attacking machine is\u00a0<b>192.168.1.135<\/b>\u00a0and corresponds to our Kali on the local network that will receive the connection:<\/p>\n<p><center><img decoding=\"async\" src=\"http:\/\/localhost\/assets\/images\/blog\/nota_97f.jpeg\" \/><\/center>&nbsp;<\/p>\n<p class=\"cuerpo-nota\">We listen to our\u00a0<b>Kali\u00a0on port\u00a04444\u00a0and run the extension again from our Windows 11 victim:<\/p>\n<p><\/b><\/p>\n<p><center><img decoding=\"async\" src=\"http:\/\/localhost\/assets\/images\/blog\/nota_97g.jpeg\" \/><\/center><b>\u00a0<\/b><\/p>\n<p class=\"cuerpo-nota\">Press F5 to launch a new debug instance in\u00a0<b>VS Code<\/b>. In this new instance, we use the keyboard\u00a0<b>ctrl+shift+p<\/b>\u00a0to open the command palette and execute the malicious extension command. Upon doing so, the connection is successfully established, allowing us to gain access to the\u00a0<b>Windows 11<\/b>\u00a0system from our\u00a0<b>Kali Linux<\/b>. machine. This is possible thanks to the execution of the reverse shell code we have embedded in the malicious extension, which demonstrates the effectiveness of the technique and underscores the importance of understanding and mitigating these risks in corporate environments.<\/p>\n<p><center><img decoding=\"async\" src=\"http:\/\/localhost\/assets\/images\/blog\/nota_97h.jpeg\" \/><\/center><b>\u00a0<\/b><\/p>\n<p class=\"cuerpo-nota\"><span class=\"subtitulo-nota\">Post-Exploitation and Persistence<\/span><\/p>\n<p>Once we have gained access to the target system via our malicious extension, the next step is to ensure persistence and perform post-exploitation activities. This will allow us to maintain access even if the machine is rebooted and perform additional actions to further explore and compromise the system.<\/p>\n<p>For post-exploitation, we will use\u00a0<b>powershell-empire<\/b>, a powerful\u00a0<b>post-explotaci\u00f3n\u00a0<\/b>tool that allows attackers to execute commands and scripts on compromised systems remotely. First, we configure the\u00a0<b>powershell-empire server<\/b>\u00a0on our attacking machine, which will allow us to manage and control the agents running on the compromised systems. On another terminal, we run the\u00a0<b>client<\/b>, which we will use to interact with the server and configure our\u00a0<b>listeners and stagers<\/b>.<\/p>\n<p><center><img decoding=\"async\" src=\"http:\/\/localhost\/assets\/images\/blog\/nota_97i.jpeg\" \/><\/center><b>\u00a0<\/b><\/p>\n<p class=\"cuerpo-nota\">The next step is to create a new listener in the\u00a0<b>powershell-empire<\/b>. client. This listener is a component that waits for incoming connections from agents. We configure the listener with the necessary parameters, such as host and port, so that it is ready to receive connections. With the listener configured, we proceed to create a\u00a0<b>PowerShell<\/b>. payload. This payload, once executed on the compromised\u00a0<b>Windows 11<\/b>\u00a0system, will establish a connection back to the listener, registering itself as a new agent and allowing remote control of the system.<\/p>\n<p><center><img decoding=\"async\" src=\"http:\/\/localhost\/assets\/images\/blog\/nota_97j.jpeg\" \/><\/center><b>\u00a0<\/b><\/p>\n<p><center><img decoding=\"async\" src=\"http:\/\/localhost\/assets\/images\/blog\/nota_97k.jpeg\" \/><\/center><b>\u00a0<\/b><\/p>\n<p class=\"cuerpo-nota\">Now, we will proceed to create the PowerShell payload that we will run on the\u00a0<b>Windows 11<\/b>\u00a0system already compromised by the malicious extension. We generate this payload by following a series of specific commands that will allow us to configure the stager that will communicate with the listener we have previously set up.<\/p>\n<p>First, in the\u00a0<b>powershell-empire<\/b>client interface, we enter the main menu and select the\u00a0<b>multi\/launcher<\/b>\u00a0stager. This stager is a versatile option that allows us to configure several parameters to establish the connection back to the listener. We configure the listener by specifying the type we have previously created, in this case,\u00a0<b>http<\/b>, and set the necessary properties, such as the host and port where our listener is waiting for connections.<\/p>\n<p>UOnce configured, we run the command to generate the payload. This will be a PowerShell script that, when run on the compromised Windows system, will establish a connection back to the listener and register a new agent in\u00a0<b>powershell-empire<\/b>. This agent will provide us with remote control over the compromised system, allowing us to perform a wide range of post-exploitation actions.<\/p>\n<p><center><img decoding=\"async\" src=\"http:\/\/localhost\/assets\/images\/blog\/nota_97l.jpeg\" \/><\/center><b>\u00a0<\/b><\/p>\n<p class=\"cuerpo-nota\">After generating the payload, we run it on the compromised\u00a0<b>Windows 11\u00a0<\/b>system, leveraging the reverse shell session we have established with our malicious extension. Upon executing the payload, we verify that the agent is correctly registered in the listener and appears in the\u00a0<b>powershell-empire<\/b>\u00a0client interface. This step is crucial to ensure that our configuration is correct and that the compromised system is now under our remote control.<\/p>\n<p><center><img decoding=\"async\" src=\"http:\/\/localhost\/assets\/images\/blog\/nota_97m.jpeg\" \/><\/center><b>\u00a0<\/b><\/p>\n<p><center>Note message: New agent 4ADCSV6Z checked in<\/center><\/p>\n<p class=\"cuerpo-nota\">With the agent registered and active, we can proceed to use the available post-exploitation modules to perform additional activities, ensuring that our access to the compromised system is durable and stable.<\/p>\n<p><center><img decoding=\"async\" src=\"http:\/\/localhost\/assets\/images\/blog\/nota_97o.jpeg\" \/><\/center><b>\u00a0<\/b><\/p>\n<p class=\"cuerpo-nota\">As you can see below, on the\u00a0<b>Windows 11, VS Code<\/b>\u00a0is not running. This is possible because, once the agent has been successfully registered through the post-exploitation framework, we no longer need to keep the editor open. Access and control over the compromised system is maintained regardless of the state of the application.<\/p>\n<p><center><img decoding=\"async\" src=\"http:\/\/localhost\/assets\/images\/blog\/nota_97p.jpeg\" \/><\/center><b>\u00a0<\/b><\/p>\n<p class=\"cuerpo-nota\">This shows that once the agent has successfully registered, it is not necessary to keep\u00a0<b>VS Code<\/b>\u00a0open to maintain the connection. However, it is important to note that if the machine is restarted, we will lose the connection, as the agent will not persist unless we configure a proper persistence technique.<\/p>\n<p>Next, we proceed to establish persistence on the compromised system. We use the\u00a0<b>powershell_persistence_userland_registry<\/b>\u00a0module that allows us to set persistence in the Windows registry. This module creates an entry in the registry that will execute our payload every time the user logs in. We configure and run the persistence module, making sure that the payload runs automatically on every system restart.<\/p>\n<p><center><img decoding=\"async\" src=\"http:\/\/localhost\/assets\/images\/blog\/nota_97q.jpeg\" \/><\/center><b>\u00a0<\/b><\/p>\n<p class=\"cuerpo-nota\">We can confirm that the persistence has been successfully established when we see the message: &#8220;<b>Registry persistence established using listener http stored in HKCU\\Microsoft\\Windows\\CurrentVersion\\Debug<\/b>&#8220;. This message indicates that the persistence module has been successfully created in a Windows registry entry.<\/p>\n<p>This persistence technique involves storing the payload in a registry key located at\u00a0<b>HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\Debug<\/b>, which ensures that the PowerShell script is automatically executed every time the user logs on to the system. By setting this registration key, we ensure that the agent re-registers with the listener even after the computer is rebooted, thus maintaining remote access to the compromised system persistently.<\/p>\n<p><center><img decoding=\"async\" src=\"http:\/\/localhost\/assets\/images\/blog\/nota_97r.jpeg\" \/><\/center><b>\u00a0<\/b><\/p>\n<p class=\"cuerpo-nota\">We will try rebooting the compromised Windows to confirm persistence. Once the system has rebooted, we will check if a new agent is automatically registered in\u00a0<b>powershell-empire<\/b>. This step is crucial to ensure that the implemented persistence technique is working correctly and that our remote access to the compromised system is durable.<\/p>\n<p>Each time we reboot, a new agent will register, indicating that the\u00a0<b>PowerShell<\/b>\u00a0payload stored in the Windows registry is automatically executed at user logon, reconnecting the compromised system with our listener.<\/p>\n<p><center><img decoding=\"async\" src=\"http:\/\/localhost\/assets\/images\/blog\/nota_97s.jpeg\" \/><\/center><b>\u00a0<\/b><\/p>\n<p class=\"cuerpo-nota\">With persistence confirmed, we can start playing with some\u00a0<b>powershell-empire<\/b>\u00a0commands to explore and get more information from the compromised system. For example, we can use the\u00a0<b>powershell\/situational_awareness\/host\/computerdetails\u00a0<\/b>module to collect system details. This module will provide us with valuable information about the hardware and software of the compromised system, including the computer name, operating system version and more.<\/p>\n<p><center><img decoding=\"async\" src=\"http:\/\/localhost\/assets\/images\/blog\/nota_97t.jpeg\" \/><\/center><b>\u00a0<\/b><\/p>\n<p class=\"cuerpo-nota\">We can perform a port scan on the network using the\u00a0<b>powershell\/situational_awareness\/network\/portscan<\/b>\u00a0module. This module allows us to scan for open ports on specific devices within the compromised system&#8217;s network. We configure the module to scan a particular host, for example,\u00a0<b>raspberrypi.local<\/b>, and run the scan command. This type of scan helps us identify other devices and services accessible on the network, which may be potential targets for future attacks or entry points for lateral movement within the infrastructure.<\/p>\n<p><center><img decoding=\"async\" src=\"http:\/\/localhost\/assets\/images\/blog\/nota_97u.jpeg\" \/><\/center><b>\u00a0<\/b><\/p>\n<p class=\"cuerpo-nota\">These post-exploitation steps, along with persistence verification, not only allow us to maintain continuous access to the compromised system, but also to expand our knowledge and control over the environment, facilitating broader and more effective exploitation.<\/p>\n<p><span class=\"subtitulo-nota\">Conclusion<\/span><\/p>\n<p>Exploring and demonstrating how to develop a malicious extension for\u00a0<b>VS Code<\/b>\u00a0allows us to better understand the risks associated with installing extensions and underscores the importance of security in development environments. Through environment configuration, extension development, and post-exploitation and persistence techniques, we have evidenced potential vulnerabilities that can be exploited by malicious actors.<\/p>\n<p>The use of tools such as powershell-empire for post-exploitation highlights the ease with which an attacker can maintain continuous and lasting access to a compromised system, even after a reboot. The Windows registry-based persistence technique ensures that the attacker can automatically reconnect to the compromised system, making mitigation of such threats more challenging.<\/p>\n<p>It is essential that developers and security professionals are aware of these attack vectors and take proactive measures to protect their environments. This includes carefully verifying installed extensions, implementing strict security policies, and using monitoring and analysis tools to detect suspicious behavior.<\/p>\n<p>In summary, this exercise not only demonstrates an exploitation technique, but also highlights the need for constant vigilance and a rigorous approach to security in software development. By understanding and anticipating these threats, we can strengthen our defenses and ensure a more secure and resilient development environment.<\/p>\n<div class=\"referencias-nota-title\">\n<h5>References<\/h5>\n<\/div>\n<div>\n<p>&#8211;\u00a0<a href=\"https:\/\/medium.com\/@amitassaraf\/the-story-of-extensiontotal-how-we-hacked-the-vscode-marketplace-5c6e66a0e9d7\">How We Hacked Multi-Billion Dollar<br \/>\nCompanies in 30 Minutes Using a<br \/>\nFake VSCode Extension<\/a><\/p>\n<p>&#8211;\u00a0<a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/vscode-marketplace-can-be-abused-to-host-malicious-extensions\/\">VSCode Marketplace can be abused<br \/>\nto host malicious extensions<\/a><\/p>\n<p>&#8211;\u00a0<a href=\"https:\/\/www.aquasec.com\/blog\/can-you-trust-your-vscode-extensions\/\">Can You Trust Your VSCode Extensions?<\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>In the world of computer security,\u00a0Visual Studio Code (VS Code)\u00a0extensions have emerged as a new attack vector for cybercriminals.\u00a0Visual Studio Code, published by\u00a0Microsoft, is a source code editor used by many professional developers around the world.\u00a0Microsoft\u00a0also operates an extension marketplace for the\u00a0IDE, called the\u00a0Visual Studio Code Marketplace, offers add-ons that extend application functionality and provide [&hellip;]<\/p>\n","protected":false},"author":5,"featured_media":5644,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_wpcom_ai_launchpad_first_post":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[259],"tags":[],"class_list":["post-6439","post","type-post","status-publish","format-standard","has-post-thumbnail","category-technical-en"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.9 (Yoast SEO v27.9) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>VS Code Extension Attack - BASE4 Security<\/title>\n<meta name=\"description\" content=\"BASE4 Security, consultora de ciberseguridad con presencia en Argentina, Chile, Per\u00fa, Colombia, M\u00e9xico y Espa\u00f1a. Servicios de CyberSOC, Red Team, GRC y Zero Trust.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/base4sec.com\/en\/technical-en\/vs-code-extension-attack\/2024\/06\/18\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"VS Code Extension Attack\" \/>\n<meta property=\"og:description\" content=\"An\u00e1lisis t\u00e9cnico y estrategia de ciberseguridad por el equipo de BASE4 Security. Insights sobre CyberSOC, Red Team, GRC y Zero Trust para LATAM y Espa\u00f1a.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/base4sec.com\/en\/technical-en\/vs-code-extension-attack\/2024\/06\/18\/\" \/>\n<meta property=\"og:site_name\" content=\"BASE4 Security\" \/>\n<meta property=\"article:published_time\" content=\"2024-06-18T19:43:28+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/base4sec.com\/wp-content\/uploads\/2024\/12\/blog_97.png\" \/>\n\t<meta property=\"og:image:width\" content=\"600\" \/>\n\t<meta property=\"og:image:height\" content=\"600\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Base4 Security Research\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Base4 Security Research\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/base4sec.com\\\/en\\\/technical-en\\\/vs-code-extension-attack\\\/2024\\\/06\\\/18\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/base4sec.com\\\/en\\\/technical-en\\\/vs-code-extension-attack\\\/2024\\\/06\\\/18\\\/\"},\"author\":{\"name\":\"Base4 Security Research\",\"@id\":\"\\\/#\\\/schema\\\/person\\\/5905e7398728c03dbec3772861bd4f99\"},\"headline\":\"VS Code Extension Attack\",\"datePublished\":\"2024-06-18T19:43:28+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/base4sec.com\\\/en\\\/technical-en\\\/vs-code-extension-attack\\\/2024\\\/06\\\/18\\\/\"},\"wordCount\":2176,\"commentCount\":0,\"publisher\":{\"@id\":\"\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/base4sec.com\\\/en\\\/technical-en\\\/vs-code-extension-attack\\\/2024\\\/06\\\/18\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/base4sec.com\\\/wp-content\\\/uploads\\\/2024\\\/12\\\/blog_97.png\",\"articleSection\":[\"Technical\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/base4sec.com\\\/en\\\/technical-en\\\/vs-code-extension-attack\\\/2024\\\/06\\\/18\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/base4sec.com\\\/en\\\/technical-en\\\/vs-code-extension-attack\\\/2024\\\/06\\\/18\\\/\",\"url\":\"https:\\\/\\\/base4sec.com\\\/en\\\/technical-en\\\/vs-code-extension-attack\\\/2024\\\/06\\\/18\\\/\",\"name\":\"VS Code Extension Attack - BASE4 Security\",\"isPartOf\":{\"@id\":\"\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/base4sec.com\\\/en\\\/technical-en\\\/vs-code-extension-attack\\\/2024\\\/06\\\/18\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/base4sec.com\\\/en\\\/technical-en\\\/vs-code-extension-attack\\\/2024\\\/06\\\/18\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/base4sec.com\\\/wp-content\\\/uploads\\\/2024\\\/12\\\/blog_97.png\",\"datePublished\":\"2024-06-18T19:43:28+00:00\",\"description\":\"BASE4 Security, consultora de ciberseguridad con presencia en Argentina, Chile, Per\u00fa, Colombia, M\u00e9xico y Espa\u00f1a. Servicios de CyberSOC, Red Team, GRC y Zero Trust.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/base4sec.com\\\/en\\\/technical-en\\\/vs-code-extension-attack\\\/2024\\\/06\\\/18\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/base4sec.com\\\/en\\\/technical-en\\\/vs-code-extension-attack\\\/2024\\\/06\\\/18\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/base4sec.com\\\/en\\\/technical-en\\\/vs-code-extension-attack\\\/2024\\\/06\\\/18\\\/#primaryimage\",\"url\":\"https:\\\/\\\/base4sec.com\\\/wp-content\\\/uploads\\\/2024\\\/12\\\/blog_97.png\",\"contentUrl\":\"https:\\\/\\\/base4sec.com\\\/wp-content\\\/uploads\\\/2024\\\/12\\\/blog_97.png\",\"width\":600,\"height\":600,\"caption\":\"POR: Juan Cruz Tommasi (Ethical Hacking and Research)\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/base4sec.com\\\/en\\\/technical-en\\\/vs-code-extension-attack\\\/2024\\\/06\\\/18\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Inicio\",\"item\":\"https:\\\/\\\/base4sec.com\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"VS Code Extension Attack\"}]},{\"@type\":\"WebSite\",\"@id\":\"\\\/#website\",\"url\":\"\\\/\",\"name\":\"BASE4 Security\",\"description\":\"Your cyber ally\",\"publisher\":{\"@id\":\"\\\/#organization\"},\"alternateName\":\"B4\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"\\\/#organization\",\"name\":\"BASE4 Security\",\"url\":\"\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/base4sec.com\\\/wp-content\\\/uploads\\\/2024\\\/10\\\/Logo_policromo_negativo.png\",\"contentUrl\":\"https:\\\/\\\/base4sec.com\\\/wp-content\\\/uploads\\\/2024\\\/10\\\/Logo_policromo_negativo.png\",\"width\":372,\"height\":227,\"caption\":\"BASE4 Security\"},\"image\":{\"@id\":\"\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.linkedin.com\\\/company\\\/base4-security\"],\"description\":\"BASE4 Security es una consultora de ciberseguridad B2B con prop\u00f3sito, fundada en Argentina y con operaciones en Argentina, Chile, Per\u00fa, Colombia, M\u00e9xico y Espa\u00f1a. Ofrece servicios de CyberSOC, Red Team, GRC, Identity Security, Cloud Security y Application Security para empresas en SOLA y NOLA.\",\"email\":\"info@base4sec.com\",\"telephone\":\"02262653623\",\"legalName\":\"BASE4 Security\",\"foundingDate\":\"2008-01-16\",\"numberOfEmployees\":{\"@type\":\"QuantitativeValue\",\"minValue\":\"51\",\"maxValue\":\"200\"}},{\"@type\":\"Person\",\"@id\":\"\\\/#\\\/schema\\\/person\\\/5905e7398728c03dbec3772861bd4f99\",\"name\":\"Base4 Security Research\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2fd8bd108b76c23a0df95f08c42f3f8653e30a2562d252777bc2a74096d212e4?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2fd8bd108b76c23a0df95f08c42f3f8653e30a2562d252777bc2a74096d212e4?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2fd8bd108b76c23a0df95f08c42f3f8653e30a2562d252777bc2a74096d212e4?s=96&d=mm&r=g\",\"caption\":\"Base4 Security Research\"},\"url\":\"https:\\\/\\\/base4sec.com\\\/en\\\/author\\\/cliteplo\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"VS Code Extension Attack - BASE4 Security","description":"BASE4 Security, consultora de ciberseguridad con presencia en Argentina, Chile, Per\u00fa, Colombia, M\u00e9xico y Espa\u00f1a. Servicios de CyberSOC, Red Team, GRC y Zero Trust.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/base4sec.com\/en\/technical-en\/vs-code-extension-attack\/2024\/06\/18\/","og_locale":"en_US","og_type":"article","og_title":"VS Code Extension Attack","og_description":"An\u00e1lisis t\u00e9cnico y estrategia de ciberseguridad por el equipo de BASE4 Security. Insights sobre CyberSOC, Red Team, GRC y Zero Trust para LATAM y Espa\u00f1a.","og_url":"https:\/\/base4sec.com\/en\/technical-en\/vs-code-extension-attack\/2024\/06\/18\/","og_site_name":"BASE4 Security","article_published_time":"2024-06-18T19:43:28+00:00","og_image":[{"width":600,"height":600,"url":"https:\/\/base4sec.com\/wp-content\/uploads\/2024\/12\/blog_97.png","type":"image\/png"}],"author":"Base4 Security Research","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Base4 Security Research","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/base4sec.com\/en\/technical-en\/vs-code-extension-attack\/2024\/06\/18\/#article","isPartOf":{"@id":"https:\/\/base4sec.com\/en\/technical-en\/vs-code-extension-attack\/2024\/06\/18\/"},"author":{"name":"Base4 Security Research","@id":"\/#\/schema\/person\/5905e7398728c03dbec3772861bd4f99"},"headline":"VS Code Extension Attack","datePublished":"2024-06-18T19:43:28+00:00","mainEntityOfPage":{"@id":"https:\/\/base4sec.com\/en\/technical-en\/vs-code-extension-attack\/2024\/06\/18\/"},"wordCount":2176,"commentCount":0,"publisher":{"@id":"\/#organization"},"image":{"@id":"https:\/\/base4sec.com\/en\/technical-en\/vs-code-extension-attack\/2024\/06\/18\/#primaryimage"},"thumbnailUrl":"https:\/\/base4sec.com\/wp-content\/uploads\/2024\/12\/blog_97.png","articleSection":["Technical"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/base4sec.com\/en\/technical-en\/vs-code-extension-attack\/2024\/06\/18\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/base4sec.com\/en\/technical-en\/vs-code-extension-attack\/2024\/06\/18\/","url":"https:\/\/base4sec.com\/en\/technical-en\/vs-code-extension-attack\/2024\/06\/18\/","name":"VS Code Extension Attack - BASE4 Security","isPartOf":{"@id":"\/#website"},"primaryImageOfPage":{"@id":"https:\/\/base4sec.com\/en\/technical-en\/vs-code-extension-attack\/2024\/06\/18\/#primaryimage"},"image":{"@id":"https:\/\/base4sec.com\/en\/technical-en\/vs-code-extension-attack\/2024\/06\/18\/#primaryimage"},"thumbnailUrl":"https:\/\/base4sec.com\/wp-content\/uploads\/2024\/12\/blog_97.png","datePublished":"2024-06-18T19:43:28+00:00","description":"BASE4 Security, consultora de ciberseguridad con presencia en Argentina, Chile, Per\u00fa, Colombia, M\u00e9xico y Espa\u00f1a. Servicios de CyberSOC, Red Team, GRC y Zero Trust.","breadcrumb":{"@id":"https:\/\/base4sec.com\/en\/technical-en\/vs-code-extension-attack\/2024\/06\/18\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/base4sec.com\/en\/technical-en\/vs-code-extension-attack\/2024\/06\/18\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/base4sec.com\/en\/technical-en\/vs-code-extension-attack\/2024\/06\/18\/#primaryimage","url":"https:\/\/base4sec.com\/wp-content\/uploads\/2024\/12\/blog_97.png","contentUrl":"https:\/\/base4sec.com\/wp-content\/uploads\/2024\/12\/blog_97.png","width":600,"height":600,"caption":"POR: Juan Cruz Tommasi (Ethical Hacking and Research)"},{"@type":"BreadcrumbList","@id":"https:\/\/base4sec.com\/en\/technical-en\/vs-code-extension-attack\/2024\/06\/18\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Inicio","item":"https:\/\/base4sec.com\/en\/"},{"@type":"ListItem","position":2,"name":"VS Code Extension Attack"}]},{"@type":"WebSite","@id":"\/#website","url":"\/","name":"BASE4 Security","description":"Your cyber ally","publisher":{"@id":"\/#organization"},"alternateName":"B4","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"\/#organization","name":"BASE4 Security","url":"\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"\/#\/schema\/logo\/image\/","url":"https:\/\/base4sec.com\/wp-content\/uploads\/2024\/10\/Logo_policromo_negativo.png","contentUrl":"https:\/\/base4sec.com\/wp-content\/uploads\/2024\/10\/Logo_policromo_negativo.png","width":372,"height":227,"caption":"BASE4 Security"},"image":{"@id":"\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.linkedin.com\/company\/base4-security"],"description":"BASE4 Security es una consultora de ciberseguridad B2B con prop\u00f3sito, fundada en Argentina y con operaciones en Argentina, Chile, Per\u00fa, Colombia, M\u00e9xico y Espa\u00f1a. Ofrece servicios de CyberSOC, Red Team, GRC, Identity Security, Cloud Security y Application Security para empresas en SOLA y NOLA.","email":"info@base4sec.com","telephone":"02262653623","legalName":"BASE4 Security","foundingDate":"2008-01-16","numberOfEmployees":{"@type":"QuantitativeValue","minValue":"51","maxValue":"200"}},{"@type":"Person","@id":"\/#\/schema\/person\/5905e7398728c03dbec3772861bd4f99","name":"Base4 Security Research","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/2fd8bd108b76c23a0df95f08c42f3f8653e30a2562d252777bc2a74096d212e4?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/2fd8bd108b76c23a0df95f08c42f3f8653e30a2562d252777bc2a74096d212e4?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2fd8bd108b76c23a0df95f08c42f3f8653e30a2562d252777bc2a74096d212e4?s=96&d=mm&r=g","caption":"Base4 Security Research"},"url":"https:\/\/base4sec.com\/en\/author\/cliteplo\/"}]}},"jetpack_featured_media_url":"https:\/\/base4sec.com\/wp-content\/uploads\/2024\/12\/blog_97.png","_links":{"self":[{"href":"https:\/\/base4sec.com\/en\/wp-json\/wp\/v2\/posts\/6439","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/base4sec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/base4sec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/base4sec.com\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/base4sec.com\/en\/wp-json\/wp\/v2\/comments?post=6439"}],"version-history":[{"count":4,"href":"https:\/\/base4sec.com\/en\/wp-json\/wp\/v2\/posts\/6439\/revisions"}],"predecessor-version":[{"id":6441,"href":"https:\/\/base4sec.com\/en\/wp-json\/wp\/v2\/posts\/6439\/revisions\/6441"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/base4sec.com\/en\/wp-json\/wp\/v2\/media\/5644"}],"wp:attachment":[{"href":"https:\/\/base4sec.com\/en\/wp-json\/wp\/v2\/media?parent=6439"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/base4sec.com\/en\/wp-json\/wp\/v2\/categories?post=6439"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/base4sec.com\/en\/wp-json\/wp\/v2\/tags?post=6439"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}