VS Code vulnerability enables recycling of deleted extensions’ names

Microsoft's Visual Studio Code Marketplace has been impacted by a vulnerability allowing threat actors to reuse names belonging to extensions that have already been removed from the repository, The Hacker News reports. Such a loophole was identified by ReversingLabs researchers after discovering the illicit "ahbanC.shiba" extension, which resembled the previously flagged "ahban.shiba" and "ahban.cychelloworld" extensions that allowed PowerShell payload retrieval for file encryption and Shiba Inu token extortion. All of the libraries were only differentiated by their publisher names, according to ReversingLabs. Similar recycling of deleted libraries' names was also possible in the Python Package Index repository. Such a development comes as JFrog researchers reported the distribution of Chrome browser information-stealing malware via eight npm packages. "Open-source software repositories have become one of the main entry points for attackers as part of supply chain attacks, with growing waves using typosquatting and masquerading, pretending to be legitimate," said JFrog security researcher Guy Korolevski.