Can developers trust extensions downloaded for Microsoft’s popular Visual Studio Code editor? Researchers at Aqua Nautilus say they have found that attackers could easily impersonate popular extensions and trick unknowing developers into downloading them.

Some extensions may already have taken advantage of this, Aqua security researcher Ilay Goldman wrote in a January 6 blog post. It can be challenging to distinguish between malicious and benign extensions, and the lack of sandbox capabilities means that extensions could install ransomware, wipers, and other malicious code, Goldman wrote. A user’s code also could be accessed.

To read this article in full, please click here