Loophole allows threat actors to claim VS Code extension names

SUMMARY :

A loophole in VS Code Marketplace allows malicious actors to reuse names of removed extensions. ReversingLabs discovered this vulnerability after finding a malicious extension with the same name as one previously identified. The platform's documentation states that extension names must be unique, but removed extensions' names can be reused. This poses a risk of threat actors publishing malicious extensions under previously legitimate names. The research team conducted experiments to confirm this vulnerability, successfully publishing extensions with names of removed packages. This technique has been observed in other open-source platforms like PyPI. The discovery highlights the increasing popularity of VS Code Marketplace among malicious actors and the need for developers to be vigilant about package security.

OPENCTI LABELS :

open-source,vulnerability,software supply chain,cybersecurity,extension,vs code,loophole,package names


AI COMMENTARY :

1. The recently disclosed loophole in the Visual Studio Code Marketplace exposes a critical threat intelligence insight into how extension name reuse can undermine software supply chain security. Titled “Loophole allows threat actors to claim VS Code extension names,” the report outlines a scenario where malicious actors exploit a gap in the marketplace rules to impersonate legitimate extensions. Developers and security professionals must understand this vulnerability to safeguard their development environments from counterfeit packages.

2. ReversingLabs first uncovered this issue upon encountering a malicious extension cleverly masquerading under the same name as one previously identified and removed. While the Marketplace documentation explicitly requires unique names for published extensions, it fails to prevent the reuse of names once an extension is deleted. This discrepancy allowed threat actors to revive popular package identifiers under their control, levering brand recognition to deceive unsuspecting users.

3. At the core of this loophole is the absence of a mechanism preventing the re-registration of extension names that have been resigned from the platform. The Marketplace enforces uniqueness at the time of publication but does not track or reserve names of deprecated or removed extensions. As a result, security checks based solely on the extension name become unreliable once threat actors step in to reclaim those names for malicious purposes.

4. To validate their hypothesis, the research team conducted controlled experiments in the VS Code Marketplace sandbox. By publishing sample extensions that bore the names of previously removed packages, they successfully replicated the attack vector. Each malicious package passed the initial naming validation and appeared in search results under the hijacked names, providing conclusive proof that threat actors could invisibly replace trusted extensions with harmful alternatives.

5. The ramifications of this vulnerability extend deep into the software supply chain. Developers who install extensions based on name recognition or past reputation may inadvertently introduce malicious code into their projects. Such code can execute arbitrary commands, exfiltrate sensitive data, or establish persistent backdoors. In enterprise scenarios, this level of compromise risks entire development pipelines and downstream applications, amplifying the potential damage.

6. Observations from other open-source ecosystems like PyPI highlight a similar pattern where removed package names are reappropriated to facilitate supply chain attacks. The PyPI community has faced instances where typosquatting and name reuse lured developers into installing counterfeit libraries. The recurrence of this tactic across ecosystems underscores the urgent need for a unified approach to package identity management.

7. Mitigation strategies should involve both platform-level and user-level defenses. Marketplace operators can implement name reservation policies, retaining a blocklist of removed extension identifiers to eliminate the possibility of reuse. Developers must adopt rigorous validation practices, verifying extension publisher signatures, inspecting code changes in updates, and subscribing to official security advisories. Automated tools can further flag suspicious republishing events or version anomalies in their extension management workflows.

8. This discovery serves as a stark reminder that even seemingly innocuous aspects of package management—such as name uniqueness—can harbor significant threat intel value when left unchecked. By shedding light on this loophole, the research encourages the VS Code community to strengthen marketplace governance and for all developers to remain vigilant against evolving software supply chain threats.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Loophole allows threat actors to claim VS Code extension names