Passwords, open remote shells targeted by malicious Microsoft VSCode extensions

Three new malicious Visual Studio extensions in Microsoft's VSCode Marketplace, which have amassed 46,600 downloads, have been facilitating credential and system information theft, as well as remote shell deployment on impacted machines, according to BleepingComputer. Over 45,000 installations have been recorded for the malicious "Darcula Dark" theme extension, which purports to improve the consistency of Dracula colors on VSCode but was used for exfiltrating basis system details, while the "python-vscode" extension, which was downloaded 1,384 times despite the lack of a description, was a C# shell injector with code or command execution capabilities, a report from Check Point revealed. On the other hand, the "prettiest java" extension with 278 downloads was found to exfiltrate Google Chrome, Discord and Discord Canary, Yandex, Brave, and Opera credentials and authentication tokens. While all of the malicious extensions have been removed on May 14, manual removal and complete system scans have been urged for software developers still using the extensions.