TH16701
Detected presence of development extensions that perform unusual actions.
| priority | CI/CD status | severity | effort | SAFE level | SAFE assessment |
|---|---|---|---|---|---|
 | fail | high | high | 1 | tampering: fail Reason: dangerous develop extensions |
About the issueโ
Development extensions are commonly used by software developers to extend the functionality of integrated development environments, code editors, and other developer tools. Extensions are typically distributed through public marketplaces as packages that bundle the extension code with supporting resources. Development extension code implements behaviors that integrate it with the host application. This integration allows extensions to register commands, react to editor events, or provide programming language support. Extension code is loaded and executed automatically by the host application during events such as editor startup, file opening, or user interaction. These events are used by extension developers to set up the environment for nominal extension use, or to respond to activity within the host application. However, extensions are commonly abused by threat actors to execute arbitrary commands within the development environment. It was detected that the extension code could execute commands that are not typically used by development tools. Such unusual commands resemble common threat actor tactics and are usually obscured by layers of cryptography, code obfuscation, anti-analysis features, and other detection evasion techniques.
How to resolve the issueโ
- Investigate reported detections.
- Consult Mitre ATT&CK documentation: T1176.002 - Software Extensions: IDE Extensions.
- If the development extension intent does not relate to the reported behavior, investigate your development environment for software supply chain compromise.
- You should stop using the development extension until the investigation is completed, or until the issue is risk accepted.
- Consider replacing the development extension with an alternative.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.
This section is updated when new data becomes available.
Total amount of packages analyzed
- Linux: 562K
- NPM: 5.12M
- Nuget: 735K
- PS Gallery: 17K
- PyPi: 838K
- RubyGems: 203K
- VS Code: 113K
- Windows: 3.7K
Recommended readingโ
- Software Extensions: IDE Extensions (External resource)