{"id":1593451,"date":"2025-03-24T12:49:02","date_gmt":"2025-03-24T14:49:02","guid":{"rendered":"https:\/\/teknomers.com\/fr\/vscode-marketplace-supprime-deux-extensions-deploiement-des-ransomwares-a-un-stade-precoce\/"},"modified":"2025-03-24T12:49:07","modified_gmt":"2025-03-24T14:49:07","slug":"vscode-marketplace-supprime-deux-extensions-deploiement-des-ransomwares-a-un-stade-precoce","status":"publish","type":"post","link":"https:\/\/teknomers.com\/fr\/vscode-marketplace-supprime-deux-extensions-deploiement-des-ransomwares-a-un-stade-precoce\/","title":{"rendered":"VScode Marketplace supprime deux extensions d\u00e9ploiement des ransomwares \u00e0 un stade pr\u00e9coce"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">24 mars 2025<\/span><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><\/span><span class=\"p-tags\">Malware \/ cryptage<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a rel=\"nofollow\" href=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2025\/03\/VScode-Marketplace-supprime-deux-extensions-deploiement-des-ransomwares-a-un.png\" style=\"clear: left; display: block; float: left;  text-align: center;\"><\/a><\/div>\n<p>Les chercheurs en cybers\u00e9curit\u00e9 ont d\u00e9couvert deux extensions malveillantes sur le march\u00e9 du Code Visual Studio (VSCOD) qui sont con\u00e7ues pour d\u00e9ployer des ransomwares qui sont en cours de d\u00e9veloppement envers ses utilisateurs.<\/p>\n<p>Les extensions, nomm\u00e9es &#8220;ahban.shiba&#8221; et &#8220;ahban.cychewelloworld&#8221;, ont depuis \u00e9t\u00e9 supprim\u00e9es par les agents de march\u00e9 du march\u00e9.<\/p>\n<p>Les deux extensions, par <a rel=\"noopener nofollow\" href=\"https:\/\/x.com\/ReversingLabs\/status\/1902355039265411208\" target=\"_blank\">Inversion<\/a>Incorporez le code con\u00e7u pour invoquer une commande PowerShell, qui saisit ensuite une charge utile PowerShell-Script \u00e0 partir d&#8217;un serveur de commande et de contr\u00f4le (C2) et l&#8217;ex\u00e9cute.<\/p>\n<div class=\"dog_two clear\"><center class=\"cf\"><a rel=\"nofollow noopener sponsored\" href=\"https:\/\/thehackernews.uk\/cis-securesuite\" target=\"_blank\" title=\"Cybersecurity\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybers\u00e9curit\u00e9\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2025\/03\/1740818990_705_Mozilla-met-a-jour-les-termes-de-Firefox-apres-le.png\" width=\"727\" height=\"90\"\/><\/a><\/center><\/div>\n<p>La charge utile est soup\u00e7onn\u00e9e d&#8217;\u00eatre des ransomwares dans le d\u00e9veloppement \u00e0 un stade pr\u00e9coce, ne chiffrant que des fichiers dans un dossier appel\u00e9 &#8220;testshiba&#8221; sur le bureau Windows de la victime.<\/p>\n<p>Une fois les fichiers crypt\u00e9s, la charge utile PowerShell affiche un message, indiquant &#8220;Vos fichiers ont \u00e9t\u00e9 crypt\u00e9s. Payez 1 Shibacoin \u00e0 Shibawallet pour les r\u00e9cup\u00e9rer.&#8221;<\/p>\n<p>Cependant, aucune autre instruction ou adresse de portefeuille de crypto-monnaie n&#8217;est fournie aux victimes, une autre indication que les logiciels malveillants sont probablement en cours de d\u00e9veloppement par les acteurs de la menace.<\/p>\n<p>Le d\u00e9veloppement intervient quelques mois apr\u00e8s que la soci\u00e9t\u00e9 de s\u00e9curit\u00e9 de la cha\u00eene d&#8217;approvisionnement logicielle a signal\u00e9 plusieurs extensions malveillantes, dont certaines se sont d\u00e9gag\u00e9es de zoom, mais ont nourri la fonctionnalit\u00e9 pour t\u00e9l\u00e9charger une charge utile inconnue de deuxi\u00e8me \u00e9tape d&#8217;un serveur distant.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a rel=\"nofollow\" href=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2025\/03\/1742827741_485_VScode-Marketplace-supprime-deux-extensions-deploiement-des-ransomwares-a-un.png\" style=\"clear: left; display: block; float: left;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2025\/03\/1742827741_485_VScode-Marketplace-supprime-deux-extensions-deploiement-des-ransomwares-a-un.png\" alt=\"VSCODE Marketplace\" border=\"0\" data-original-height=\"1431\" data-original-width=\"2048\" title=\"VSCODE Marketplace\"\/><\/a><\/div>\n<p>La semaine derni\u00e8re, Socket a d\u00e9taill\u00e9 un paquet de maven malveillant imitant le <a rel=\"noopener nofollow\" href=\"https:\/\/github.com\/scribejava\/scribejava\" target=\"_blank\">SCRIBEJAVA-CORE BIBLIOTH\u00c8QUE<\/a> qui r\u00e9colte secr\u00e8tement et exfiltre des r\u00e9f\u00e9rences d&#8217;oauth le quinzi\u00e8me jour de chaque mois, mettant en \u00e9vidence un m\u00e9canisme de d\u00e9clenchement temporel con\u00e7u pour \u00e9chapper \u00e0 la d\u00e9tection.<\/p>\n<p>La biblioth\u00e8que a \u00e9t\u00e9 t\u00e9l\u00e9charg\u00e9e sur Maven Central le 25 janvier 2024. Il continue d&#8217;\u00eatre <a rel=\"noopener nofollow\" href=\"https:\/\/mvnrepository.com\/artifact\/io.github.leetcrunch\/scribejava-core\" target=\"_blank\">Disponible en t\u00e9l\u00e9chargement<\/a> du r\u00e9f\u00e9rentiel.<\/p>\n<div class=\"dog_two clear\"><center class=\"cf\"><a rel=\"nofollow noopener sponsored\" href=\"https:\/\/thehackernews.uk\/cloud-secure-d\" target=\"_blank\" title=\"Cybersecurity\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybers\u00e9curit\u00e9\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2025\/03\/Mozilla-met-a-jour-les-termes-de-Firefox-apres-le.jpg\" width=\"727\" height=\"90\"\/><\/a><\/center><\/div>\n<p>&#8220;Les attaquants ont utilis\u00e9 la typosquat &#8211; cr\u00e9ant un nom presque identique pour inciter les d\u00e9veloppeurs \u00e0 ajouter le package malveillant&#8221;, le chercheur en s\u00e9curit\u00e9 Kush Pandya <a rel=\"noopener nofollow\" href=\"https:\/\/socket.dev\/blog\/malicious-maven-package-exfiltrates-oauth-credentials\" target=\"_blank\">dit<\/a>. &#8220;Fait int\u00e9ressant, ce forfait malveillant a six packages d\u00e9pendants.&#8221;<\/p>\n<p>&#8220;Tous sont des packages l\u00e9gitimes typosquatting mais partagent le m\u00eame groupId (io.github.leetcrunch) au lieu de l&#8217;espace de noms r\u00e9el (com.github.scribejava).&#8221;<\/p>\n<p>En adoptant cette approche, l&#8217;id\u00e9e est de stimuler la l\u00e9gitimit\u00e9 per\u00e7ue de la biblioth\u00e8que malveillante, augmentant ainsi les chances qu&#8217;un d\u00e9veloppeur t\u00e9l\u00e9charge et l&#8217;utiliserait dans ses projets.<\/p>\n<p><\/p>\n<div class=\"cf note-b\">Vous avez trouv\u00e9 cet article int\u00e9ressant? Suivez-nous <a rel=\"noopener nofollow\" href=\"https:\/\/twitter.com\/thehackersnews\" target=\"_blank\">Gazouillement <i class=\"icon-font icon-twitter\">\uf099<\/i><\/a>  et <a rel=\"noopener nofollow\" href=\"https:\/\/www.linkedin.com\/company\/thehackernews\/\" target=\"_blank\">Liendin<\/a> Pour lire plus de contenu exclusif que nous publions.<\/div>\n<\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<br \/><br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2025\/03\/vscode-marketplace-removes-two.html\" rel=\"nofollow noopener\" target=\"_blank\">ttn-fr-57<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\ue80224 mars 2025\ue804Ravie LakshmananMalware \/ cryptage Les chercheurs en cybers\u00e9curit\u00e9 ont d\u00e9couvert deux extensions malveillantes sur le march\u00e9 du Code Visual Studio (VSCOD) qui sont con\u00e7ues pour d\u00e9ployer des ransomwares qui sont en cours de d\u00e9veloppement envers ses utilisateurs. Les extensions, nomm\u00e9es &#8220;ahban.shiba&#8221; et &#8220;ahban.cychewelloworld&#8221;, ont depuis \u00e9t\u00e9 supprim\u00e9es par les agents de march\u00e9 du [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1593452,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[274266,274265,4168,79002,274264,4161,274263,6124,4390,133,245,3107,274267,7531,4160,12765,63091,238617,246491,4172,1378,1549,79016,4166,289303,4164],"class_list":["post-1593451","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technologie","tag-actualites-de-piratage","tag-actualites-des-pirates","tag-comment-pirater","tag-cyber-security-news","tag-cyber-security-news-aujourdhui","tag-cyber-mises-a-jour","tag-cyber-nouvelles","tag-cyberattaques","tag-deploiement","tag-des","tag-deux","tag-extensions","tag-malware-ransomware","tag-marketplace","tag-mises-a-jour-de-la-cybersecurite","tag-precoce","tag-ransomwares","tag-securite-de-linformation","tag-securite-du-reseau","tag-securite-informatique","tag-stade","tag-supprime","tag-the-hacker-news","tag-violation-de-donnees","tag-vscode","tag-vulnerabilite-logicielle"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/1593451","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/comments?post=1593451"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/1593451\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media\/1593452"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media?parent=1593451"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/categories?post=1593451"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/tags?post=1593451"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}