Description
Adversaries may abuse an integrated development environment (IDE) extension to establish persistent access to victim systems.(Citation: Mnemonic misuse visual studio) IDEs such as Visual Studio Code, IntelliJ IDEA, and Eclipse support extensions - software components that add features like code linting, auto-completion, task automation, or integration with tools like Git and Docker. A malicious extension can be installed through an extension marketplace (i.e., Compromise Software Dependencies and Development Tools) or side-loaded directly into the IDE.(Citation: Abramovsky VSCode Security)(Citation: Lakshmanan Visual Studio Marketplace)
In addition to installing malicious extensions, adversaries may also leverage benign ones. For example, adversaries may establish persistent SSH tunnels via the use of the VSCode Remote SSH extension (i.e., IDE Tunneling).
Trust is typically established through the installation process; once installed, the malicious extension is run every time that the IDE is launched. The extension can then be used to execute arbitrary code, establish a backdoor, mine cryptocurrency, or exfiltrate data.(Citation: ExtensionTotal VSCode Extensions 2025)
Platforms
Mitigations (5)
Execution PreventionM1038
Set an IDE extension allow or deny list as appropriate for your security policy.
Update SoftwareM1051
Ensure operating systems and IDEs are using the most current version.
AuditM1047
Ensure extensions that are installed are the intended ones, as many malicious extensions may masquerade as legitimate ones.
Limit Software InstallationM1033
Only install IDE extensions from trusted sources that can be verified.
User TrainingM1017
Train users to minimize IDE extension use, and to only install trusted extensions.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has leveraged Visual Studio Code’s (VSCode) embedded reverse shell feature using the command `c... |
References
- Abramovsky, O. (2023, May 16). VSCode Security: Malicious Extensions Detected- More Than 45,000 Downloads- PII Exposed, and Backdoors Enabled. Retrieved March 30, 2025.
- Lakshmanan, R. (2023, January 9). Hackers Can Abuse Visual Studio Marketplace to Target Developers with Malicious Extensions. Retrieved March 30, 2025.
- Mnemonic. (n.d.). Advisory: Misuse of Visual Studio Code for traffic tunnelling. Retrieved March 30, 2025.
- Yuval Ronen. (2025, April 4). Mining in Plain Sight: The VS Code Extension Cryptojacking Campaign. Retrieved April 8, 2025.
Frequently Asked Questions
What is T1176.002 (IDE Extensions)?
T1176.002 is a MITRE ATT&CK technique named 'IDE Extensions'. It belongs to the Persistence tactic(s). Adversaries may abuse an integrated development environment (IDE) extension to establish persistent access to victim systems.(Citation: Mnemonic misuse visual studio) IDEs such as Visual Studio Code,...
How can T1176.002 be detected?
Detection of T1176.002 (IDE Extensions) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1176.002?
There are 5 documented mitigations for T1176.002. Key mitigations include: Execution Prevention, Update Software, Audit, Limit Software Installation, User Training.
Which threat groups use T1176.002?
Known threat groups using T1176.002 include: Mustang Panda.