• @Kuinox@lemmy.world
      link
      fedilink
      -37 months ago

      They made themselves the extensions.
      If you are talking about the other reverse shell, it hit a local IP address.

      • @kinttach@lemm.ee
        link
        fedilink
        English
        47 months ago

        True, it’s a private (not local) IP. It could easily have connected to a remote system, as their proof-of-concept did.

        This code execs cmd.exe and pipes output to and from a hardcoded IP. That’s pretty weird. What’s running on that IP? How does the extension know something is there?

        It looks like VS Code has no review — human or automated — or enforced entitlement system that would have stopped this or at least had someone verify it was legit.

        • @Kuinox@lemmy.world
          link
          fedilink
          -27 months ago

          Thing is, tons of code extensions have an RCE in one form or another, but they always hit a localhost, or configurable IP. How do there automated analysis did any difference ?
          Tons of extensions summon the cmd to summon the language devtools, their automated analysis flagged tons of package and they infer millions of infeections from that.