Evil-Ex is a tool (extension really) to demonstrate the dangers posed by malicious IDE extensions. The idea came when I was doing some research on supply chain compromise & looking for initial access vectors in that context.
For obvious reasons this extension is not published on marketplace and thus shared here.
As of now Evil-Ex supports only Linux systems with two features as follows :-
- Exfiltration of Docker & GitHub credentials via
evil-ex.007command. - Reverse shell via
evil-ex.1337command.
- VS Code/VSCodium >= 1.95.0
- NodeJS >= v22.14.0
- NPM >= v10.9.2
git clone https://github.com/wand3rlust/Evil-Ex.git
cd Evil-Ex
npm install- Open the extension directory as a folder in VS Code.
- Add webhook URL in line 20 of
extension.jsfile. - In top-menu bar, click on Run and then select Run Without Debugging (
Ctrl+F5). - A new VC Code window will pop-up, click on View in top-menu bar and then select Command Palette option.
- Type
Data Exfil!and press Enter. - The contents of
~/.docker/config.json&~/.config/gh/hosts.ymlwill be exfiltrated.
- Open the extension directory as a folder in VS Code.
- Add C2 URL in line 52 of
extension.jsfile. - In top-menu bar, click on Run and then select Run Without Debugging (
Ctrl+F5). - A new VC Code window will pop-up, click on View in top-menu bar and then select Command Palette option.
- Type
Reverse Shell!and press Enter. - A command execution access callback will be received on the C2.
- Support for macOS & Windows
- Add more features
- Extend to other IDEs
To contribute, simply fork this repo, make changes and create a pull request.
If you like this tool please consider giving a ⭐.