True, it’s a private (not local) IP. It could easily have connected to a remote system, as their proof-of-concept did.
This code execs cmd.exe and pipes output to and from a hardcoded IP. That’s pretty weird. What’s running on that IP? How does the extension know something is there?
It looks like VS Code has no review — human or automated — or enforced entitlement system that would have stopped this or at least had someone verify it was legit.
Thing is, tons of code extensions have an RCE in one form or another, but they always hit a localhost, or configurable IP.
How do there automated analysis did any difference ?
Tons of extensions summon the cmd to summon the language devtools, their automated analysis flagged tons of package and they infer millions of infeections from that.
True, it’s a private (not local) IP. It could easily have connected to a remote system, as their proof-of-concept did.
This code execs
cmd.exe
and pipes output to and from a hardcoded IP. That’s pretty weird. What’s running on that IP? How does the extension know something is there?It looks like VS Code has no review — human or automated — or enforced entitlement system that would have stopped this or at least had someone verify it was legit.
Thing is, tons of code extensions have an RCE in one form or another, but they always hit a localhost, or configurable IP. How do there automated analysis did any difference ?
Tons of extensions summon the cmd to summon the language devtools, their automated analysis flagged tons of package and they infer millions of infeections from that.
Since I read this I can’t stop picturing you as Peter Lorre lmao.
Damn now I noticed i did tons of mistake/types there ^^'.
Lol it was just one of those things where I read it in his voice for that word.