A recent investigation conducted by security researchers has brought to light a concerning increase in malicious campaigns targeting popular development tools such as VSCode extensions and npm packages. These campaigns have been found to compromise local development environments and pose significant risks to software supply chains.
The initial discovery of these malicious campaigns was made by ReversingLabs in the VSCode Marketplace, with the threat later spreading to the npm ecosystem towards the end of 2024. One of the latest examples of malicious npm packages is etherscancontracthandler, which has been identified in five different versions. Three of these versions contained obfuscated payloads aimed at downloading additional malicious components. The resemblance between these npm packages and compromised VSCode extensions strongly suggests that they may have been created by the same threat actor or group.
While these campaigns initially targeted the cryptocurrency community, they later expanded their focus to include widely used applications such as Zoom by late October 2024. To make the malicious extensions appear legitimate, threat actors utilized sophisticated tactics like inflating install counts and fabricating reviews. The investigation also revealed the presence of common endpoints shared by the malicious VSCode extensions and npm packages, with some domains mimicking trusted sources like “microsoft-visualstudiocode[.]com” to deceive users. Extensive use of obfuscated JavaScript was also employed to evade detection.
In light of these findings, it is imperative for developers to exercise vigilance when using development tools and third-party libraries. ReversingLabs recommends several best practices to mitigate risks, including regularly auditing plugins and dependencies for vulnerabilities, validating and pre-approving development tools and extensions before use, and conducting frequent security assessments to identify new risks introduced by updates or third-party libraries.
It is crucial for developers to remain vigilant when utilizing packages from public repositories to prevent the inclusion of malicious code and to avoid the introduction of a malicious package as a dependency in larger projects. Development organizations are advised to carefully scrutinize the features and behaviors of the open-source, third-party, and commercial code they rely on, track dependencies, and detect potential malicious payloads within them.
For more information on securing the software supply chain, you can read about CISA’s call for improvements in US software supply chain transparency. Stay informed and stay secure in your development practices to protect against malicious threats targeting popular development tools and libraries.