Going to have to reread Hacking: The Art of Exploitation, 2nd Edition by Jon Erickson in order to keep up with the advanced tactics we're starting to see in VS Code extension malware.

Really excited to being supporting crxaminer.tech with some Secure Annex details. Looking forward to more opportunities to get more information on browser extensions out there!

Mackenzie Jackson is raising a red flag about the risks IDE extensions present. Always on top of the top industry trends. Thanks for letting me share a bit! m.youtube.com/watch?v=FiJ_...

The extension was approved, now what? Are you going back tomorrow to see if it changed? You know they auto update instantly right? Rolling out to Secure Annex - code change alerts. This compares past code with additional context to understand how an extension is changing over time. Catch bad quick!

A brand new unlisted extension with 100,000 users? 41 ratings? Must be really valuable. Nope - completely manipulated stats and it doesn't even contain real code. It exists only to collect your searches and earn Bing Rewards.

We've found code extensions openly call themselves malware in the VS Code marketplace recently and now browser extensions posing as known malicious remote access tools to the Chrome Web Store. What gives?

Attracting a lot of fans these days

Did you know you can manage an allowlist of MCP extensions and MCP servers (yes they're different) used by Claude desktop? If you're a Claude Enterprise customer you can configure these settings centrally and roll them out. This is separate from Claude Code though. Are you using this feature?

Powerful new Detections are added to Secure Annex. These are already catching subtle exploits like unicode extension names that evade other filters, manipulated download counts, and combinations of suspicious signatures in code.

Two of these Cursor extensions will compromise your device the second you hit install. Good luck!

Ridiculously cool that Tines is able to connect to MCP servers now. Understand entirely what any of the browser or code extensions you use might actually be doing. Orchestrate your extension review process or check if "Hello Kitty - You Glow Girl Cute Live Wallpaper" is more than what it says.

Ransomware has appeared in the VS Marketplace and makes me worry. Clearly created through AI, it makes many mistakes like including decryption tools in extension. If this makes it into the marketplace through, what impact would anything more sophisticated cause? secureannex.com/blog/ransomv...

-Couple loses fortune to scammers -Valid accounts still rule the day for initial access -Open VSX rotate leaked creds -ZeroAccess botnet dev is now a software dev -BadCandy flourishes in Australia -New Katreus miner -Malware reports on Aura Stealer, SectopRAT, SleepyDuck RAT, OysterLoader

From North Korean tradecraft to being used in Cursor extensions in two weeks. Etherhiding is a technique where malware can use Ethereum contracts as a resilient C2 channel detailed by Google Oct 15th. It is now appearing in code extensions with the first sighting November 1st.

From North Korean tradecraft to being used in Cursor extensions in two weeks. Etherhiding is a technique where malware can use Ethereum contracts as a resilient C2 channel detailed by Google Oct 15th. It is now appearing in code extensions with the first sighting November 1st.

The SleepyDuck code extension malware is an advanced remote access trojan allowing for remote command execution on any endpoint that installs it. Take down the C2 server? It uses an Ethereum contract to update its settings to a new endpoint. secureannex.com/blog/sleepyd...

If you thought you were ahead by using Windsurf... nope! Check out the @secureannex.com extension to protect yourself from malicious extensions right now. open-vsx.org/extension/se...

Today's edition of pick the right solidity in Cursor. Yes - this IS different than yesterday

Three malicious solidity extensions were published to Open VSX today. Would you be able to tell which is the real one in Cursor? This repeated behavior has been going on since June and anyone can detect it by just matching against 'solidity'. When will progress be made?

Most of us just want a Pikachu sprite dancing on our code, but threat actors want to spoil the fun. Yesterday five malicious VS Code extensions were published, one a Pokemon theme and syntax highlighter, but instead disable Windows Defender and installs a cryptominer secureannex.com/blog/pokemon...

My first response from VS Marketplace support is requesting supporting additional evidence I have that this listing is malware. If anyone can publish an extension with admittedly malicious intent with no response, what does that do for the health of the marketplace?

The "test malware" made it's way into the VS Marketplace easily

🙄🙄🙄

New docs available for Secure Annex! A bunch of new integration and setup guides to integrate with your environment. docs.secureannex.com

Dangerous namesquat for Tailwind just published to Open VSX currently. Caught less than an hour after publishing. Tagged and blocked in Secure Annex.

New, by me at this.weekinsecurity.com: If you're not using ad blockers, you should be! In this deep-dive blog, I explain why ad blockers are critical for your online security and privacy, what threats ad blockers can help defend against, and we'll explore at some of the best ad blockers out there.

None other than @cnn.com serving malware through the ads on its site...

Interesting piece of protestware in the browser extension space. Injects a script that autoplays the Ukrainian national anthem on '.ru' domains.

Secure Annex now has a code editor extension to help manage other extensions. One installation will protect VS Code, Cursor, and Windsurf. Any extension known to be malicious/suspicious will be uninstalled immediately from your editors. Get in touch if you're interested!

Running statistics comparing when a browser extension is reported malicious/suspicious compared to when it is removed from the Chrome Web Store. Here is the breakdown: Still active: 68.8% 91-365 days: 19.1% 31-90 days: 5.8% Same day or 1 day: 2.9% 8-30 days: 2.3% 2-7 days: 1.2%

This "Calculator" Chrome extension (60k+ users) markets itself as a simple iOS-style calculator with "basic arithmetic operations" with the ability to "open calculator directly on website pages." Could that be all?

The Secure Annex extension is available to protect against other extensions! When an extension is found to be malicious, Secure Annex will prevent it from running. A great option for teams that do not have complete control with managed browsers. If you're interested, get in touch!

Integrations are coming to Secure Annex! Easily gather all of the extensions in your environment from any source. Simply send data to an endpoint and pick out the data location. Some preconfigured options include Fleet and LimaCharlie! Get in touch if you want to try it out.

I put together a browser extension analysis workshop for ContinuumCon and went over a section of the material live! The material and labs are still available at ContinuumCon or feel free to message if you would like a specialized training! www.youtube.com/watch?v=hhnm...

How are folks finding what MCP servers are in use in their organizations? Not just remote ones, but local also. There are a ton of places where they are configured that I've seen even for just something like Claude.

🚨 Think your browser extensions are harmless? Join @johntuckner.me for @thorcollective.bsky.social and learn how to hunt the dangerous ones before they hunt you: thorcollective.substack.com/p/even-if-ma... #cybersecurity #infosec #threathunting #thrunting

Not subscribed to the THOR Collective Dispatch yet? You might've missed my guest piece on hunting for bad browser extensions. Check if the extension your CFO installed to change text to Comic Sans is also taking screenshots of his Salesforce reports. dispatch.thorcollective.com/p/even-if-ma...

The Secure Annex extension history graph now shows version, verdict, and availability elements now in addition to users. With this you can easily see when a new extension version is released, when it was labeled, and how long it can last in a marketplace before take down.

Salesloft reported that a GitHub compromise triggered their recent incident involving Drift. This has been my leading example of how a malicious browser extension can cause significant damage through capturing and replaying user sessions in GitHub. youtu.be/h3vFGv8wxfM?...

Developers are now looking for improvements in Open VSX after a string of malicious extensions impersonating real ones were published. The malware has not been taken down after 3+ days. This is impacting the trust in the platform.

Six malicious extensions listed in Cursor and hosted on Open VSX. All are squatting on other packages and are showing above the safe versions they target.

Earlier solidity malware taken down from the Open VSX marketplace. The publisher was supposed to be removed. Different namespace, same publisher with more solidity malware. open-vsx.org/extension/ki...

Another day, another solidity malware. open-vsx.org/extension/Ju...

There has been an uptick in very simple extensions published to Firefox which redirect a user to a phishing page looking for wallet credentials when the extension icon is clicked. Many of these pages are hosted on Google sites. They extensions are removed quickly, but they must be successful.

Insane that this extension published today on the VS marketplace is showing 2.5 million installs, obviously manipulated. A copy of malicious extensions seen in Open VSX. The VS marketplace is no safe haven. VitalikButerin-EthFoundation.blan-co marketplace.visualstudio.com/items?itemNa...

DePIN stands for decentralized physical infrastructure networks. They operate through small rewards in exchange for making requests through your browser using extensions. We've identified 13 of these services with almost $100 million of venture capital funding them. secureannex.com/blog/depin-b...

Many extensions override your default search provider sending your searches to a third parties before being redirected back to results. The search of choice is often Bing which provides rewards for referrals based on added identifiers. What do you think? Harmless or something to keep an eye on?

Checking back in on the 57 hidden tracking extensions with extreme permissions we found in April shows why organizations must act. 10 are still active! 22 were removed a week after reporting and 24 more in the past 2 months. Read about it here: secureannex.com/blog/searchi...

Did you know Chrome Enterprise Core offers a free way to report on all of the extensions in your managed browsers? Try using its APIs to do regular enrichment of what your users have installed. secureannex.com/blog/retriev...

Yesterday I found a new set of malicious extensions in Open VSX. They start as "Test extensions" in the marketplace and then updates to include a new files execute from a Cloudflare worker. Some IOCs nomic-foundation.hardhat-solidity g83u[.]pages[.]dev/hjxuw1x[.]txt g83u[.]pages[.]dev/qp5tr4f[.]txt