A recent investigation by cybersecurity experts has uncovered a concerning uptick in malicious campaigns targeting popular development tools such as VSCode extensions and npm packages. These campaigns have been found to compromise local development environments and pose significant risks to software supply chains.
The initial detection of these malicious campaigns was made by ReversingLabs in the VSCode Marketplace, with the threat expanding to the npm ecosystem later on. One example of the latest malicious npm packages identified is etherscancontracthandler, which included obfuscated payloads across five different versions. The similarities between these compromised npm packages and VSCode extensions suggest that they may have been created by the same threat actor or group.
While these campaigns initially targeted the cryptocurrency community, they have since evolved to impersonate popular applications like Zoom. Threat actors have gone to great lengths to make these malicious extensions appear legitimate, using tactics such as inflating install counts and fabricating reviews.
The investigation also revealed common endpoints shared by the malicious VSCode extensions and npm packages, with some domains mimicking trusted sources to deceive users. Extensive use of obfuscated JavaScript was employed to evade detection.
In light of these findings, it is crucial for developers to be vigilant when using development tools and third-party libraries. ReversingLabs recommends several best practices to mitigate risks, including regularly auditing plugins and dependencies for vulnerabilities, validating and pre-approving development tools and extensions before use, and conducting frequent security assessments to identify new risks introduced by updates or third-party libraries.
It is essential for developers to remain cautious when utilizing packages from public repositories, as malicious code could potentially be included, leading to a malicious package being introduced as a dependency in a larger project. Development organizations are advised to closely scrutinize the features and behaviors of the open source, third-party, and commercial code they rely on, in order to track dependencies and detect any potential malicious payloads.
By following these best practices and remaining vigilant, developers can help safeguard their development environments and protect software supply chains from malicious attacks.