We Hacked Multi-Billion $ Companies in 30 Minutes with a VSCode Extension
medium.comIn 30 minutes, we developed and published a Visual Studio Code extension that changed IDE colors while leaking source code to a remote server. This experiment exposed massive security issues in one of the most popular IDEs in the world with tens of millions of users.
Here’s how we did it:
1. Built the extension: Created a copycat of the popular “Dracula Official” theme. 2. Established credibility: With $5 and leveraging amazing loopholes in the VSCode Marketplace. 3. Inserted “malicious” code: Each time a document was opened, a beacon was sent to our server. 4. Published and observed: Within minutes, we had our first victim. A day later, we were trending with over 1000 installs. Eventually, we infiltrated several multi-billion-dollar companies, a huge cybersecurity company, and even a country’s justice court (responsible disclosure was completed).
The ease of this process and the rapid adoption by unsuspecting developers highlights a critical security threat for organizations. If we could do this in 30 minutes, imagine what a motivated threat actor could achieve.
This experiment was a wake-up call, revealing the high-risk potential of VSCode extensions. Our full story and findings are detailed in our latest blog post. Read about our journey, the eye-opening statistics, and the urgent need for better security measures by Microsoft.
Read the full research post and stay tuned for our follow-up blog posts exposing malicious extensions and how to protect your development environment.
---
Note: No one was harmed during this experiment, we’ve contacted all affected companies to remediate the issue.
This is a very well done attack. Enjoyed reading about your efforts to gain community credibility. You rapidly transformed this from a small number of victims into an epidemic.
I'm surprised that VSCode extensions don't have a permissions system (EG: "Request network access").