• Kuinox@lemmy.world
    link
    fedilink
    arrow-up
    2
    arrow-down
    5
    ·
    5 months ago

    They made themselves the extensions.
    If you are talking about the other reverse shell, it hit a local IP address.

    • kinttach@lemm.ee
      link
      fedilink
      English
      arrow-up
      4
      ·
      5 months ago

      True, it’s a private (not local) IP. It could easily have connected to a remote system, as their proof-of-concept did.

      This code execs cmd.exe and pipes output to and from a hardcoded IP. That’s pretty weird. What’s running on that IP? How does the extension know something is there?

      It looks like VS Code has no review — human or automated — or enforced entitlement system that would have stopped this or at least had someone verify it was legit.

      • Kuinox@lemmy.world
        link
        fedilink
        arrow-up
        1
        arrow-down
        3
        ·
        5 months ago

        Thing is, tons of code extensions have an RCE in one form or another, but they always hit a localhost, or configurable IP. How do there automated analysis did any difference ?
        Tons of extensions summon the cmd to summon the language devtools, their automated analysis flagged tons of package and they infer millions of infeections from that.