Verified symbols can be faked
Once thought to be a reliable indicator of trust, the blue ‘check’ icon next to an extension’s name can now be spoofed. Attackers can replicate verification tokens, essentially bypassing identity checks, and inject rogue code while preserving the verified badge.
“We analyzed the traffic performed by VSCode and discovered a request to marketplace.visualstudio.com that allows the server to determine whether an extension is verified,” researchers said, adding that they found where the verification data is stored and figured out how to modify it.
Using this, they built a malicious extension that copied the verification values of a trusted one, making it appear legitimate. Packaged as a VSIX file, the crafted extension ran commands like opening the calculator and could be shared on platforms like GitHub, where developers might unknowingly install it.
Malicious VSCode extensions are already a reality as similar threats emerged in the VSCode marketplace recently, where false tools downloaded crypto miners or other malware by abusing their trusted status.
