Malicious VSCode Marketplace extensions hid trojan in fake PNG file

Posted by speckx 15 hours ago

Counter16Comment3OpenOriginal

Comments

Comment by peacebeard 14 hours ago

> Because threat actors find new ways to evade detection on public repositories used for software development, it is recommended that users inspect packages before installation, especially when the source is not a reputable publisher.

Serious question: what is realistically meant by "inspect packages before installation" here? I assume they don't mean "review all the code in the packaged node_modules to find any trojans." Maybe "don't install plugins with packaged dependencies" but I'm not sure how common it is in this context.

My takeaway will just be "continue to use the default VSCode theme."

Comment by trinsic2 11 hours ago

I thought image files don't act as executables?

Comment by butvacuum 10 hours ago

A "corrupted" PNG brings less suspicion, and triggers less heuristics than a long chunk of Base64.

And that's assuming they didn't encode it into a valid PNG.