Malicious VSCode Marketplace extensions hid trojan in fake PNG file

(www.bleepingcomputer.com)
18 points speckx | 4 comments | 11 Dec 25 20:59 UTC | HN request time: 1.623s | source
1. peacebeard ◴[11 Dec 25 22:39 UTC] No.46238310[source]
> Because threat actors find new ways to evade detection on public repositories used for software development, it is recommended that users inspect packages before installation, especially when the source is not a reputable publisher.

Serious question: what is realistically meant by "inspect packages before installation" here? I assume they don't mean "review all the code in the packaged node_modules to find any trojans." Maybe "don't install plugins with packaged dependencies" but I'm not sure how common it is in this context.

My takeaway will just be "continue to use the default VSCode theme."

2. trinsic2 ◴[12 Dec 25 01:05 UTC] No.46239670[source]
I thought image files don't act as executables?
replies(1): >>46240328 #
3. butvacuum ◴[12 Dec 25 02:49 UTC] No.46240328[source]
A "corrupted" PNG brings less suspicion, and triggers less heuristics than a long chunk of Base64.

And that's assuming they didn't encode it into a valid PNG.