A new playground: Malicious campaigns proliferate from VSCode to npm

Category	Details
Threat Actors	Likely a group targeting developers and the cryptocurrency ecosystem.
Campaign Overview	Malicious extensions and npm packages are being leveraged to target IDEs (like VSCode) and dependencies in development cycles.
Target Regions	Developers using npm and VSCode, with focus on crypto communities; domains suggest targeting Latin America (.lat) and Russia (.ru).
Methodology	Malicious npm packages and VSCode extensions were introduced with obfuscated downloader code, fabricated reviews, and inflated install counts to appear credible.
Product Targeted	VSCode IDE, npm packages, and Node.js applications.
Malware Reference	Obfuscated JavaScript downloader; second-stage payloads downloaded from domains like hxxps[:]//microsoft-visualstudiocode[.]com and hxxps[:]//captchacdn[.]com.
Tools Used	JavaScript Obfuscator for code obfuscation; malicious npm packages and VSCode extensions for delivery.
Vulnerabilities Exploited	No specific CVE mentioned; compromise likely through malicious publishing of extensions and dependencies.
TTPs	- Obfuscated code in legitimate-looking packages - Use of fake reviews and inflated download stats - Second-stage payloads downloaded from malicious domains
Attribution	Not explicitly named; evidence suggests consistent methods, indicating organized actors or groups.
Recommendations	- Preapprove, validate, and scan all IDE plugins and dependencies - Perform regular security assessments - Monitor for malicious inclusion in repositories - Use platforms like RL’s Spectra Assure.
Source	Reversinglabs

Read full article: https://www.reversinglabs.com/blog/a-new-playground-malicious-campaigns-proliferate-from-vscode-to-npm

The above summary has been generated by an AI language model