1. Home
  2. Techniques
  3. Enterprise
  4. Software Extensions
  5. IDE Extensions

Software Extensions: IDE Extensions

ID Name
T1176.001 Browser Extensions
T1176.002 IDE Extensions

Adversaries may abuse an integrated development environment (IDE) extension to establish persistent access to victim systems.[1] IDEs such as Visual Studio Code, IntelliJ IDEA, and Eclipse support extensions - software components that add features like code linting, auto-completion, task automation, or integration with tools like Git and Docker. A malicious extension can be installed through an extension marketplace (i.e., Compromise Software Dependencies and Development Tools) or side-loaded directly into the IDE.[2][3]

In addition to installing malicious extensions, adversaries may also leverage benign ones. For example, adversaries may establish persistent SSH tunnels via the use of the VSCode Remote SSH extension (i.e., IDE Tunneling).

Trust is typically established through the installation process; once installed, the malicious extension is run every time that the IDE is launched. The extension can then be used to execute arbitrary code, establish a backdoor, mine cryptocurrency, or exfiltrate data.[4]

ID: T1176.002
Sub-technique of:  T1176
Tactic: Persistence
Platforms: Linux, Windows, macOS
Contributors: Fabian Kammel; Kevin Ward; Raghvendra Mishra
Version: 1.0
Created: 30 March 2025
Last Modified: 15 April 2025
Version Permalink

Mitigations

ID Mitigation Description
M1047 Audit

Ensure extensions that are installed are the intended ones, as many malicious extensions may masquerade as legitimate ones.

M1038 Execution Prevention

Set an IDE extension allow or deny list as appropriate for your security policy.

M1033 Limit Software Installation

Only install IDE extensions from trusted sources that can be verified.

M1051 Update Software

Ensure operating systems and IDEs are using the most current version.

M1017 User Training

Train users to minimize IDE extension use, and to only install trusted extensions.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Traffic Flow

Monitor for network traffic directed towards IDE services, such as global.rel.tunnels.api.visualstudio.com, from servers or network zones that should not be communicating with this service.[1]

Analytic 1 - suspicious network connections

sourcetype=zeek:conn_log OR sourcetype=zeek:http_log OR sourcetype=suricata_flow(host=".tunnels.api.visualstudio.com" OR host=".jetbrains.com")| lookup endpoint_asset_zones ip AS src_ip OUTPUT zone| where zone="prod" OR zone="non-dev"| stats count by src_ip, dest_ip, host, uri_path, http_method, zone, _time| sort -_time
DS0009 Process Process Creation

Monitor for Unexpected launches of IDEs (code.exe, idea64.exe, eclipse, jetbrains-gateway) especially on servers or non-dev endpoints.Execution of these binaries with suspicious flags (--install-extension, --force, --disable-extensions).Parent processes not commonly associated with developer workflows (e.g., cmd.exe, powershell.exe, or unknown binaries).

Analytic 1 - suspicious process executions

sourcetype=WinEventLog:Sysmon EventCode=1(Image="\code.exe" OR Image="\idea64.exe" OR Image="\eclipse.exe" OR Image="\jetbrains-gateway.exe")| eval is_unexpected_host=if(like(Computer, "%server%") OR like(Computer, "%prod%"), "yes", "no")| stats count by Image, CommandLine, ParentImage, User, Computer, is_unexpected_host, _time| where is_unexpected_host="yes"| sort -_time

References

  1. Mnemonic. (n.d.). Advisory: Misuse of Visual Studio Code for traffic tunnelling. Retrieved March 30, 2025.
  2. Abramovsky, O. (2023, May 16). VSCode Security: Malicious Extensions Detected- More Than 45,000 Downloads- PII Exposed, and Backdoors Enabled. Retrieved March 30, 2025.
  1. Lakshmanan, R. (2023, January 9). Hackers Can Abuse Visual Studio Marketplace to Target Developers with Malicious Extensions. Retrieved March 30, 2025.
  2. Yuval Ronen. (2025, April 4). Mining in Plain Sight: The VS Code Extension Cryptojacking Campaign. Retrieved April 8, 2025.