| ID | Name |
|---|---|
| T1176.001 | Browser Extensions |
| T1176.002 | IDE Extensions |
Adversaries may abuse an integrated development environment (IDE) extension to establish persistent access to victim systems.[1] IDEs such as Visual Studio Code, IntelliJ IDEA, and Eclipse support extensions - software components that add features like code linting, auto-completion, task automation, or integration with tools like Git and Docker. A malicious extension can be installed through an extension marketplace (i.e., Compromise Software Dependencies and Development Tools) or side-loaded directly into the IDE.[2][3]
In addition to installing malicious extensions, adversaries may also leverage benign ones. For example, adversaries may establish persistent SSH tunnels via the use of the VSCode Remote SSH extension (i.e., IDE Tunneling).
Trust is typically established through the installation process; once installed, the malicious extension is run every time that the IDE is launched. The extension can then be used to execute arbitrary code, establish a backdoor, mine cryptocurrency, or exfiltrate data.[4]
| ID | Name | Description |
|---|---|---|
| G0129 | Mustang Panda |
Mustang Panda has leveraged Visual Studio Code’s (VSCode) embedded reverse shell feature using the command |
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit |
Ensure extensions that are installed are the intended ones, as many malicious extensions may masquerade as legitimate ones. |
| M1038 | Execution Prevention |
Set an IDE extension allow or deny list as appropriate for your security policy. |
| M1033 | Limit Software Installation |
Only install IDE extensions from trusted sources that can be verified. |
| M1051 | Update Software |
Ensure operating systems and IDEs are using the most current version. |
| M1017 | User Training |
Train users to minimize IDE extension use, and to only install trusted extensions. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0561 | Detect malicious IDE extension install/usage and IDE tunneling | AN1548 |
Adversary installs or side-loads an IDE extension (VS Code, IntelliJ/JetBrains, Eclipse) or enables IDE tunneling. Chain: (1) IDE binary starts on a non-developer endpoint or server, often with install/force/tunnel flags → (2) extension files/registrations appear under user profile → (3) browser/IDE initiates outbound connections to extension marketplaces, update endpoints, or IDE remote/tunnel services → (4) optional child tools (ssh, node, powershell) execute under the IDE context. |
| AN1549 |
Adversary installs or abuses IDE extensions via CLI or direct write to profile directories and then communicates with marketplaces or remote tunnel services. Chain: auditd execve (code/idea/eclipse) with install/update flags or writes under ~/.vscode/extensions, ~/.config/JetBrains → outbound flows to .visualstudio.com, marketplace.visualstudio.com, .jetbrains.com, githubusercontent.com, or SSH/WebSocket tunnel endpoints → optional ssh/node processes spawned by IDE. |
||
| AN1550 |
Adversary adds IDE extensions or plugins (VS Code, JetBrains Toolbox/EAP, Eclipse) via GUI or CLI, possibly via managed profiles. Chain: process start with install/update flags → plist/extension folder changes under ~/Library/Application Support/Code or ~/Library/Application Support/JetBrains → outbound connections to marketplaces/tunnel services → optional helper (ssh/node) spawned. |