T1176.002 IDE Extensions
Adversaries may abuse an integrated development environment (IDE) extension to establish persistent access to victim systems.3 IDEs such as Visual Studio Code, IntelliJ IDEA, and Eclipse support extensions - software components that add features like code linting, auto-completion, task automation, or integration with tools like Git and Docker. A malicious extension can be installed through an extension marketplace (i.e., Compromise Software Dependencies and Development Tools) or side-loaded directly into the IDE.12
In addition to installing malicious extensions, adversaries may also leverage benign ones. For example, adversaries may establish persistent SSH tunnels via the use of the VSCode Remote SSH extension (i.e., IDE Tunneling).
Trust is typically established through the installation process; once installed, the malicious extension is run every time that the IDE is launched. The extension can then be used to execute arbitrary code, establish a backdoor, mine cryptocurrency, or exfiltrate data.4
| Item | Value |
|---|---|
| ID | T1176.002 |
| Sub-techniques | T1176.001, T1176.002 |
| Tactics | TA0003 |
| Platforms | Linux, Windows, macOS |
| Version | 1.0 |
| Created | 30 March 2025 |
| Last Modified | 23 April 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0129 | Mustang Panda | Mustang Panda has leveraged Visual Studio Code’s (VSCode) embedded reverse shell feature using the command code.exe tunnel to execute code and deliver additional payloads.5 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit | Ensure extensions that are installed are the intended ones, as many malicious extensions may masquerade as legitimate ones. |
| M1038 | Execution Prevention | Set an IDE extension allow or deny list as appropriate for your security policy. |
| M1033 | Limit Software Installation | Only install IDE extensions from trusted sources that can be verified. |
| M1051 | Update Software | Ensure operating systems and IDEs are using the most current version. |
| M1017 | User Training | Train users to minimize IDE extension use, and to only install trusted extensions. |
References
-
Abramovsky, O. (2023, May 16). VSCode Security: Malicious Extensions Detected- More Than 45,000 Downloads- PII Exposed, and Backdoors Enabled. Retrieved March 30, 2025. ↩
-
Lakshmanan, R. (2023, January 9). Hackers Can Abuse Visual Studio Marketplace to Target Developers with Malicious Extensions. Retrieved March 30, 2025. ↩
-
Mnemonic. (n.d.). Advisory: Misuse of Visual Studio Code for traffic tunnelling. Retrieved March 30, 2025. ↩
-
Yuval Ronen. (2025, April 4). Mining in Plain Sight: The VS Code Extension Cryptojacking Campaign. Retrieved April 8, 2025. ↩
-
Tom Fakterman. (2024, September 6). Chinese APT Abuses VSCode to Target Government in Asia. Retrieved March 24, 2025. ↩