From Code to Compromise: Turning modern day IDEs into attack vectors via malicious Extensions
Visual Studio Code has become the de-facto IDE for millions of developers, and its extension marketplace is now a first-class target for supply-chain compromise. In this talk we move beyond yesterday’s JavaScript-only “theme” backdoors and show how to fuse high-level TypeScript with low-level Rust to create extensions that are indistinguishable from legitimate Microsoft-signed add-ons—yet silently execute native x86_64 shellcode inside the IDE process. We begin with a data-driven tour of recent in-the-wild incidents: the Material Theme extension with vulnerable dependencies , the “Solidity” extension that stole $500 k in crypto from a Russian blockchain developer, and the new self propagating GlassWorm extension . The rise of AI-centric forks (Cursor, Windsurf, etc.) has also given a rise to new extension marketplaces where malicious extension can use inflated download counts to serve as perfect camouflage. Next we deep-dive into the malicious extension toolchain: a Rust FFI bridge that compiles to a library, exposes a single innocent-looking TypeScript API, and preserves the marketplace’s blue “verified” tick. We demonstrate live how to backdoor a top-10 Microsoft-published extension so that every subsequent update remains functionally identical while the Rust payload executes shellcode —without triggering Windows Defender, AMSI, or the new Extension Host sandbox. We close with defensive takeaways: IoCs and TTPs to look for, defensive rules which can prevent such attacks and possible detection vectors. Attendees leave with a fully annotated GitHub repo that walks them through the process of developing such malware - starting with a "hello-world" C++ addon and building a stealthy rust based shellcode loader backdoored into a popular Microsoft extension.
Presented at Security Fest 2026.
Speaker: Debjeet BanerjeeAbout Debjeet Banerjee
I am a Researcher with Black Hills Information Security. I develop malware and build automation pipelines for engagements. As a hobby, I like diving into IDA disassemblies and WinDBG to find increasingly complex way to do things which would annoy EDRs and Reverse Engineers. When I am not looking at screens, I am riding motorcycles, trekking along the himalayas or reading history and philosophy.
