BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.securityfest.com//2026//talk//D9ZPZD
BEGIN:VTIMEZONE
TZID:CET
BEGIN:STANDARD
DTSTART:20001029T040000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
TZNAME:CET
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000326T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3
TZNAME:CEST
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-2026-D9ZPZD@cfp.securityfest.com
DTSTART;TZID=CET:20260528T103000
DTEND;TZID=CET:20260528T111000
DESCRIPTION:Visual Studio Code has become the de-facto IDE for millions of 
 developers\, and its extension marketplace is now a first-class target for
  supply-chain compromise. In this talk we move beyond yesterday’s JavaSc
 ript-only “theme” backdoors and show how to fuse high-level TypeScript
  with low-level Rust to create extensions that are indistinguishable from 
 legitimate Microsoft-signed add-ons—yet silently execute native x86_64 s
 hellcode inside the IDE process.\n\nWe begin with a data-driven tour of re
 cent in-the-wild incidents: the [Material Theme extension with vulnerable 
 dependencies](https://www.koi.ai/blog/a-wolf-in-dark-mode-the-malicious-vs
 -code-theme-that-fooled-millions)\, the “Solidity” extension that stol
 e $500 k in crypto from a Russian blockchain developer\, and the [new self
  propagating GlassWorm extension](https://www.truesec.com/hub/blog/glasswo
 rm-self-propagating-vscode-extension). The rise of AI-centric forks (Curso
 r\, Windsurf\, etc.) has also given a rise to new extension marketplaces w
 here malicious extension can use inflated download counts to serve as perf
 ect camouflage. Next we deep-dive into the malicious extension toolchain: 
 a Rust FFI bridge that compiles to a library\, exposes a single innocent-l
 ooking TypeScript API\, and preserves the marketplace’s blue “verified
 ” tick. We demonstrate live how to backdoor a top-10 Microsoft-published
  extension so that every subsequent update remains functionally identical 
 while the Rust payload executes shellcode —without triggering Windows De
 fender\, AMSI\, or the new Extension Host sandbox.\n\nWe close with defens
 ive takeaways: IoCs and TTPs to look for\, defensive rules which can preve
 nt such attacks and possible detection vectors. Attendees leave with a ful
 ly annotated GitHub repo that walks them through the process of developing
  such malware - starting with a "hello-world" C++ addon and building a ste
 althy rust based shellcode loader backdoored into a popular Microsoft exte
 nsion.
DTSTAMP:20260625T183830Z
LOCATION:Main Stage
SUMMARY:From Code to Compromise: Turning modern day IDEs into attack vector
 s via malicious Extensions - Debjeet Banerjee
URL:https://cfp.securityfest.com/2026/talk/D9ZPZD/
END:VEVENT
END:VCALENDAR