Trojan Coin Miner found in VSCode cache #75083
Comments
|
Hi @RevoluPowered , It appears to be related to this post https://code.visualstudio.com/blogs/2018/11/26/event-stream. Looking closer, based on the reported extensions in that post, I see Also look for the other 3 extensions too, because that's an old post, and some of the extensions may not be listed. Better yet, uninstall any extension(s), until it has been fixed. Hope this helps |
|
@RevoluPowered as @alefragnani suggest please uninstall vscode-pdf. @auchenberg can you do another scan of the extensions. |
|
In future, I would expect the extensions which are released and distributed in the application are automatically scanned. before they can make it onto a machine through an approval process. In my opinion it's standard practice to scan anything you distribute using a tool like vscode before allowing a extension publisher to push out potentially malicious code to users. Please can you look into this as this can be mitigated in future, if the vscode extensions are scanned before they can be pushed to machines. 370,000 installs could have that coin-miner, the issue is with the security model adopted for extensions and I believe it needs looked into. |
|
Also, what if someone does this to a C/C++ extension and it distributes something worse than just a coin miner? |
|
It looks like this was raised when the extension was removed by MS, but the extension may have just been re-published as-is? tomoki1207/vscode-pdfviewer#33
Right now extensions have full access to your machine - I think you should treat them like downloading any random executable code from the internet - don't do it if you don't trust the author. There's an issue at #52116 asking for sandboxing of extensions, but I suspect it's a big job (and for things like language servers/debuggers it's likely they'll always need full access). |
|
@DanTup I agree but I think we do need stronger measures to prevent this kind of thing in future.
|
|
I don't disagree, I was just saying how it was today (and I linked an issue that is also requesting something in this area - though I've on idea whether it's that feasible or likely to happen). |
|
Ah okay, yeah it would be neat if this was implemented. I think it will be a good proactive measure to prevent it happening in future. Yeah I don't know either if they will implement this, but it might save them a headache in the future. |
|
I cannot reproduce this and I've verified that the pdf viewer extension has version Extensions are virus scanned when they are published to the Marketplace. |
|
I have just confirmed that the version has not changed since I posted this reply and the infection doesn't seem to be caused by that extension. What else could be the cause of the cache containing the bitcoin miner? |
|
The foldername has "cache" in it - could it just be old unused stuff? (I've no idea how to verify that, or if it's safe to remove it though..) |
|
The local/code/cache is generated by electron when it loads up - its spit out by the chromium framework. It is unlikely to be unused stuff, more likely it was loaded at some point by electron and not thrown away. |
|
Will be closing this after a full scan completes as this is not part of the most recent update with the same extensions. |
Steps to Reproduce:
Install plugins below:
Scan your user folder with windows defender.
C:\Users<myuser>\AppData\Roaming\Code
Does this issue occur when all extensions are disabled?: Yes, I physically have to delete the cache folder.
The text was updated successfully, but these errors were encountered: