MITRE ATT&CK Technique
Description
Adversaries may abuse an integrated development environment (IDE) extension to establish persistent access to victim systems.(Citation: Mnemonic misuse visual studio) IDEs such as Visual Studio Code, IntelliJ IDEA, and Eclipse support extensions - software components that add features like code linting, auto-completion, task automation, or integration with tools like Git and Docker. A malicious extension can be installed through an extension marketplace (i.e., [Compromise Software Dependencies and Development Tools](https://attack.mitre.org/techniques/T1195/001)) or side-loaded directly into the IDE.(Citation: Abramovsky VSCode Security)(Citation: Lakshmanan Visual Studio Marketplace) In addition to installing malicious extensions, adversaries may also leverage benign ones. For example, adversaries may establish persistent SSH tunnels via the use of the VSCode Remote SSH extension (i.e., [IDE Tunneling](https://attack.mitre.org/techniques/T1219/001)). Trust is typically established through the installation process; once installed, the malicious extension is run every time that the IDE is launched. The extension can then be used to execute arbitrary code, establish a backdoor, mine cryptocurrency, or exfiltrate data.(Citation: ExtensionTotal VSCode Extensions 2025)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2025-03-30T22:16:24.078Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may abuse an integrated development environment '
'(IDE) extension to establish persistent access to victim '
'systems.(Citation: Mnemonic misuse visual studio) IDEs such '
'as Visual Studio Code, IntelliJ IDEA, and Eclipse support '
'extensions - software components that add features like code '
'linting, auto-completion, task automation, or integration '
'with tools like Git and Docker. A malicious extension can be '
'installed through an extension marketplace (i.e., [Compromise '
'Software Dependencies and Development '
'Tools](https://attack.mitre.org/techniques/T1195/001)) or '
'side-loaded directly into the IDE.(Citation: Abramovsky '
'VSCode Security)(Citation: Lakshmanan Visual Studio '
'Marketplace) \n'
'\n'
'In addition to installing malicious extensions, adversaries '
'may also leverage benign ones. For example, adversaries may '
'establish persistent SSH tunnels via the use of the VSCode '
'Remote SSH extension (i.e., [IDE '
'Tunneling](https://attack.mitre.org/techniques/T1219/001)). \n'
'\n'
'Trust is typically established through the installation '
'process; once installed, the malicious extension is run every '
'time that the IDE is launched. The extension can then be used '
'to execute arbitrary code, establish a backdoor, mine '
'cryptocurrency, or exfiltrate data.(Citation: ExtensionTotal '
'VSCode Extensions 2025)',
'external_references': [{'external_id': 'T1176.002',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1176/002'},
{'description': 'Abramovsky, O. (2023, May 16). '
'VSCode Security: Malicious '
'Extensions Detected- More Than '
'45,000 Downloads- PII Exposed, and '
'Backdoors Enabled. Retrieved March '
'30, 2025.',
'source_name': 'Abramovsky VSCode Security',
'url': 'https://blog.checkpoint.com/securing-the-cloud/malicious-vscode-extensions-with-more-than-45k-downloads-steal-pii-and-enable-backdoors/'},
{'description': 'Lakshmanan, R. (2023, January 9). '
'Hackers Can Abuse Visual Studio '
'Marketplace to Target Developers '
'with Malicious Extensions. Retrieved '
'March 30, 2025.',
'source_name': 'Lakshmanan Visual Studio Marketplace',
'url': 'https://thehackernews.com/2023/01/hackers-distributing-malicious-visual.html'},
{'description': 'Mnemonic. (n.d.). Advisory: Misuse '
'of Visual Studio Code for traffic '
'tunnelling. Retrieved March 30, '
'2025.',
'source_name': 'Mnemonic misuse visual studio',
'url': 'https://www.mnemonic.io/resources/blog/misuse-of-visual-studio-code-for-traffic-tunnelling/'},
{'description': 'Yuval Ronen. (2025, April 4). Mining '
'in Plain Sight: The VS Code '
'Extension Cryptojacking Campaign. '
'Retrieved April 8, 2025.',
'source_name': 'ExtensionTotal VSCode Extensions '
'2025',
'url': 'https://blog.extensiontotal.com/mining-in-plain-sight-the-vs-code-extension-cryptojacking-campaign-19ca12904b59'}],
'id': 'attack-pattern--66b34be7-6915-4b83-8d5a-b0f0592b5e41',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-04-23T12:40:46.664Z',
'name': 'IDE Extensions',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Raghvendra Mishra, Arista Networks',
'Kevin Ward',
'Fabian Kammel'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
'x_mitre_version': '1.0'}