Cybersecurity researchers have discovered a loophole in the Visual Studio Code Marketplace that allows threat actors to reuse names of previously deleted extensions.
Software Supply Chain Security Costume ReverSingLabs said it had discovered after identifying a malicious extension named “Ahbanc.shiba,” which works similarly to two other extensions flagged in early March this year (Ahban.Shiba.Cychhelloworld).
All three libraries are designed to act as download devices to obtain PowerShell payloads from external servers that encrypt files in a folder called “Testshiba” on the victim’s Windows desktop and request Shiba inu tokens by depositing assets into an undetermined wallet. These efforts suggest continuous development attempts by threat actors.
The company said it has decided to dig deeper due to the fact that the name of the new extension (“ahbanc.shiba”) is roughly the same as the other two previously identified (“ahban.shiba”).
Note that each extension must have a unique ID that is a combination of the publisher name and the extension’s name (i.e.). In the cases investigated by ReversingLabs, both extensions are distinguished only by the name of the publisher, but the actual name of the extension remains the same.
However, according to the Visual Studio code documentation, the fields specified in the extension manifest must be “lowercase with no spaces” and “mutual specific.”
“So how did the extension end up having Ahban.Shiba and Ahbanc.Shiba with the same name?” asked security researcher Lucija Valentić. However, this behavior does not apply to scenarios where the author does not publish the extension.
It is worth noting that the ability to reuse deleted libraries’ names also applies to the Python Package Index (PYPI) repository, as ReversingLabs demonstrated in early 2023.
At the time, I found that deleting a package would make the project name “available to other PYPI users” as long as the project name (combination of project name, version number, and distribution type) differ from what is used in the currently deleted distribution.
However, Pypi creates an exception that does not allow the Pypi package name to be used if it is first used in a malicious package. It appears that Visual Studio code does not have similar restrictions to prevent the reuse of malicious extension names.
The development observed in the leaked Black Busta chat logs shows how threat actors are considering addiction to open source registry with ransomware libraries that require ransoms from unsuspecting victims who may set them up. This makes it even more important for organizations and developers to adopt safe development practices and actively monitor these ecosystems for software supply chain threats.
“The discovery of this loophole reveals a new threat. The name of the removed extension is that anyone can reuse it,” Valentic said. “So if a legitimate and extremely popular extension is removed, then you can get that name.”
The findings continue to identify eight malicious NPM packages that have been found to provide Google Chrome browser information steelers targeted at Windows systems that can send passwords, credit cards, cryptocurrency wallet data and user cookies to the railway.[.]App URL or Discord Webhook as a fallback mechanism.
Packages published by users named Ruer and Npjun are listed below –
ToolKDVV (version 1.1.0, 1.0.0) React-Sxt (version 2.4.1) React-Typeex (version 0.1.0) React-Typeexs (version 0.1.0) React-SDK-Solana (version 2.4.1) React-Native-Control (version 2.4.1) Revshare-SDK-API (version 2.4.1) Revshare-SDK-API (version 2.4.1) Revshare-SDK-API (2.4.1)
What is noteworthy about these packages is that they use 70 layers of obfuscation code to unpack a Python payload designed to promote data theft and discharge.
“Open source software repository has become one of the main entry points for attackers as part of supply chain attacks. The wave increase is pretending to be legitimate, using type skating and masquerade.”
“The impact of sophisticated multi-layer campaigns designed to circumvent traditional security and steal sensitive data underscores the importance of having visibility across the software supply chain with strict auto-scanning and a single source of truth for all software components.”
Source link
