Cyber Security News

Hackers Abusing Microsoft VSCode Remote Tunnels To Bypass Security Tools

VSCode Remote Tunnels, a legitimate feature of the popular development environment, are increasingly being used by malicious actors.

This feature allows developers to remotely access their local coding environment, which promotes engagement and flexibility.

Using this feature, malicious actors install files or scripts that install the VSCode CLI and create a remote tunnel without the user’s awareness.

This allows attackers illegal access to the developer’s device, enabling them to steal confidential data, deploy malware, and move laterally over the network.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

How VSCode Tunnels Are Being Abused By Threat Actors?

According to On the Hunt’s blog post, the malicious LNK file that is initially delivered includes a PowerShell command that allows the user to download and execute a Python script from a remote IP address.

The VSCode CLI binary, code-insiders.exe, is downloaded and executed by a Python script. A Python script uses the CLI binaries against Github to generate and authenticate a VSCode tunnel

The Attack Chain

A remote tunnel for VSCode is created and the threat actor uses the tunnel created via a web browser to execute commands on a Python payload.

Python Script sets up the tunnel

To authenticate to VSCode without utilizing the attacker’s GitHub account, the connect to tunnel button is pressed.

Connecting to tunnel

Once verified with the account, a list of remote hosts with active tunnels can be observed. Selecting the online victim host will connect to the VSCode remote tunnel running on that host. 

This now makes traversing directories on the victim’s remote computer possible. Additionally, it is also possible to create new files or scripts and run them remotely.

It is advisable for organizations to restrict access to remote tunnels to their own tenants. If it’s not feasible, tunnel use within the estate should be prohibited, or measures to prevent their misuse should be implemented. 

Therefore, companies may safeguard their sensitive data and protect the integrity of their development environments by taking proactive measures to combat this new threat.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

New Device Code Phishing Attack Exploit Device Code Authentication To Capture Authentication Tokens

A sophisticated phishing campaign, identified by Microsoft Threat Intelligence, has been exploiting a technique known…

1 hour ago

RedMike Hackers Exploited 1000+ Cisco Devices to Gain Admin Access

Researchers observed a sophisticated cyber-espionage campaign led by the Chinese state-sponsored group known as "Salt…

3 hours ago

AMD Ryzen DLL Hijacking Vulnerability Let Attackers Execute Arbitrary Code

A high-severity security vulnerability, identified as CVE-2024-21966, has been discovered in the AMD Ryzen™ Master…

3 hours ago

PostgreSQL Terminal Tool Injection Vulnerability Allows Remote Code Execution

Researchers have uncovered a high-severity SQL injection vulnerability, CVE-2025-1094, affecting PostgreSQL’s interactive terminal tool, psql. …

4 hours ago

WinZip Vulnerability Let Remote Attackers Execute Arbitrary Code

A newly disclosed high-severity vulnerability in WinZip, tracked as CVE-2025-1240, enables remote attackers to execute…

8 hours ago

Hackers Actively Exploiting New PAN-OS Authentication Bypass Vulnerability

Palo Alto Networks has released a patch for a high-severity authentication bypass vulnerability, identified as…

9 hours ago