• kinttach@lemm.ee
    link
    fedilink
    English
    arrow-up
    6
    ·
    6 months ago

    Their findings included an extension that opens an obvious reverse shell.

    • Kuinox@lemmy.world
      link
      fedilink
      arrow-up
      2
      arrow-down
      5
      ·
      6 months ago

      They made themselves the extensions.
      If you are talking about the other reverse shell, it hit a local IP address.

      • kinttach@lemm.ee
        link
        fedilink
        English
        arrow-up
        4
        ·
        6 months ago

        True, it’s a private (not local) IP. It could easily have connected to a remote system, as their proof-of-concept did.

        This code execs cmd.exe and pipes output to and from a hardcoded IP. That’s pretty weird. What’s running on that IP? How does the extension know something is there?

        It looks like VS Code has no review — human or automated — or enforced entitlement system that would have stopped this or at least had someone verify it was legit.

        • Kuinox@lemmy.world
          link
          fedilink
          arrow-up
          1
          arrow-down
          3
          ·
          6 months ago

          Thing is, tons of code extensions have an RCE in one form or another, but they always hit a localhost, or configurable IP. How do there automated analysis did any difference ?
          Tons of extensions summon the cmd to summon the language devtools, their automated analysis flagged tons of package and they infer millions of infeections from that.