Skip to content

⚠️ WARNING — SECURITY RISK: Uncontrolled Outbound Traffic at Extremely High Rates Triggered Without User Interaction #452

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
BlockMageSec opened this issue Apr 28, 2025 · 0 comments
Open

⚠️ WARNING — SECURITY RISK: Uncontrolled Outbound Traffic at Extremely High Rates Triggered Without User Interaction #452

BlockMageSec opened this issue Apr 28, 2025 · 0 comments

Comments

@BlockMageSec
Copy link

Summary

This extension (Zignd.html-css-class-completion, Visual Studio Marketplace) silently crawls all HTML files in the workspace — including unopened files — and initiates network requests to every external URL it finds. This behavior triggers uncontrolled, extremely high rates of outbound traffic without user interaction, and without any throttling or validation.

During testing, we observed over 100,000 network requests in under a minute. On a larger scale, such behavior could inadvertently cause major operational issues, expose users to security risks, and potentially facilitate denial-of-service (DoS) attacks against third-party targets through request amplification.

Disclaimer

We are not alleging malice or intent. This report only presents observed behaviors and the associated risks.

Background Context

This behavior was discovered while working on a project involving the recovery and reconstruction of a legacy website, the domain of which had been poached for its exceptional SEO in early 2024. The domain is now monetized through low-effort, high-volume referral scams, while mimicking every last URL and file structure of the former site.

The attackers heavily rely on redirects to funnel users across multiple domains under their control — a detail that will become important later.

As part of our project, we recovered substantial static HTML and CSS files from the original site, storing them locally within a broader project workspace. We began the project on 2025-04-15 and initially opened only a handful of files for examination.

Importantly, the behavior described here does not require any of the files to be opened — presence alone is sufficient.

For completeness: the workspace was marked as Trusted in VS Code.

First Observations

The first anomaly was detected through Little Snitch, a macOS application-layer firewall.

Shortly after downloading the files, Little Snitch flagged a massive burst of outbound network traffic. This initially went unnoticed until several hours later, by which point the outbound data had more than tripled the size of the downloaded files.

The destination matched the new redirect domain associated with the compromised legacy site, raising concerns of silent data exfiltration to a potential command-and-control (C2) server.

Initial attempts to block the IPs directly were abandoned due to their use of Cloudflare infrastructure. Instead, we blocked the domain at the DNS level via Little Snitch and moved on — until today, when the problem re-emerged.

Relation to the Extension

Approximately 10 days passed since our initial observation. To be honest (and, admittedly, maybe too optimistic), we had nearly forgotten about the incident.

Today, we observed the following in the Little Snitch network monitor:

Image

  • 10 minutes.
  • 57,539 connections denied.

Though not fully depicted in the screenshot, these connections clearly originated from VS Code, Electron, and the VS Code Helper process(es).To investigate what was going on with VS Code, we set the log level to trace, let it run for a few minutes, and reloaded the VS Code window ([CMD] + [SHIFT] + [P]Developer: Reload Window) a few times.

What we discovered was both frustrating and absurd. The timestamps below span roughly ~2000 log lines, almost uniform in their debug and trace output:

2025-04-24 09:24:31.882 [trace] [Extension Host] ProxyResolver#tls.connect [{"_events":"[object Object]","_eventsCount":3,"uri":"[object Object]","method":"GET","readable":true,"writable":true,"explicitMethod":true,"_qs":"[object Object]","_auth":"[object Object]","_oauth":"[object Object]","_multipart":"[object Object]","_redirect":"[object Object]","_tunnel":"[object Object]","_rp_resolve":"[Function: ]","_rp_reject":"[Function: ]","_rp_promise":"[object Object]","callback":"[Function: ]","_rp_options":"[object Object]","headers":"[object Object]","setHeader":"[Function: ]","hasHeader":"[Function: ]","getHeader":"[Function: ]","removeHeader":"[Function: ]","pool":"[object Object]","dests":"","__isRequestRequest":true,"_callback":"[Function: ]","proxy":"null","tunnel":true,"setHost":true,"_disableCookies":true,"port":443,"host":"www.unescousa.org","path":"null","httpModule":"[object Object]","agentClass":"[Function: Agent]","href":"https://www.une[26 chars]","ntick":true,"response":"[object Object]","originalHost":"REDACTED_VICTIM_SITE","originalHostHeaderName":"host","agent":"[object Object]","_started":true,"ca":"[188 certs]","_defaultAgent":"[object Object]","lookupProxyAuthorization":"[Function: bound jz]","noDelay":true,"servername":"www.unescousa.org","secureEndpoint":true,"keepAlive":true,"scheduling":"lifo","timeout":5000,"_agentKey":"www.unescou[284587 chars]","encoding":"null","keepAliveInitialDelay":1000}]
2025-04-24 09:24:31.892 [debug] [Extension Host] ProxyResolver#resolveProxy cached https://www.unescousa.org/ DIRECT
2025-04-24 09:24:31.892 [trace] [Extension Host] ProxyResolver#tls.connect [{"_events":"[object Object]","_eventsCount":3,"uri":"[object Object]","method":"GET","readable":true,"writable":true,"explicitMethod":true,"_qs":"[object Object]","_auth":"[object Object]","_oauth":"[object Object]","_multipart":"[object Object]","_redirect":"[object Object]","_tunnel":"[object Object]","_rp_resolve":"[Function: ]","_rp_reject":"[Function: ]","_rp_promise":"[object Object]","callback":"[Function: ]","_rp_options":"[object Object]","headers":"[object Object]","setHeader":"[Function: ]","hasHeader":"[Function: ]","getHeader":"[Function: ]","removeHeader":"[Function: ]","pool":"[object Object]","dests":"","__isRequestRequest":true,"_callback":"[Function: ]","proxy":"null","tunnel":true,"setHost":true,"_disableCookies":true,"port":443,"host":"www.unescousa.org","path":"null","httpModule":"[object Object]","agentClass":"[Function: Agent]","href":"https://www.une[26 chars]","ntick":true,"response":"[object Object]","originalHost":"REDACTED_VICTIM_SITE","originalHostHeaderName":"host","agent":"[object Object]","_started":true,"ca":"[188 certs]","_defaultAgent":"[object Object]","lookupProxyAuthorization":"[Function: bound jz]","noDelay":true,"servername":"www.unescousa.org","secureEndpoint":true,"keepAlive":true,"scheduling":"lifo","timeout":5000,"_agentKey":"www.unescou[284587 chars]","encoding":"null","keepAliveInitialDelay":1000}]
2025-04-24 09:24:31.901 [debug] [Extension Host] ProxyResolver#resolveProxy cached https://www.unescousa.org/ DIRECT
2025-04-24 09:24:31.946 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/?mcsf_action=main_css&ver=3.4.1 DIRECT
2025-04-24 09:24:31.947 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/wp-content/themes/platformpro/pro/pro.css?ver=153-090411211717 DIRECT
2025-04-24 09:24:31.948 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/wp-content/themes/platformbase/style.css?ver=131-02281140501 DIRECT
2025-04-24 09:24:31.948 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/wp-content/plugins/wp-email/email-css.css?ver=2.60 DIRECT
2025-04-24 09:24:31.949 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/wp-content/plugins/cforms/styling/minimal.css DIRECT
2025-04-24 09:24:31.950 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/wp-content/themes/platformpro/css/dynamic.css?ver=153-012512144213 DIRECT
2025-04-24 09:24:31.951 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/?mcsf_action=main_css&ver=3.3.2 DIRECT
2025-04-24 09:24:31.953 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/wp-content/themes/platformpro/pro/pro.css?ver=153-090411211717 DIRECT
2025-04-24 09:24:31.954 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/wp-content/themes/platformbase/style.css?ver=131-02281140501 DIRECT
2025-04-24 09:24:31.955 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/wp-content/plugins/wp-email/email-css.css?ver=2.50 DIRECT
2025-04-24 09:24:31.956 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/wp-content/plugins/cforms/styling/minimal.css DIRECT
2025-04-24 09:24:31.957 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/wp-content/themes/platformpro/css/dynamic.css?ver=153-012512144213 DIRECT
2025-04-24 09:24:31.965 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/?mcsf_action=main_css&ver=3.5.1 DIRECT
2025-04-24 09:24:31.967 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/wp-content/themes/platformpro/pro/pro.css?ver=153-090411211717 DIRECT
2025-04-24 09:24:31.968 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/wp-content/themes/platformbase/style.css?ver=131-02281140501 DIRECT
2025-04-24 09:24:31.969 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/wp-content/plugins/wp-email/email-css.css?ver=2.60 DIRECT
2025-04-24 09:24:31.970 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/wp-content/plugins/cforms/styling/minimal.css DIRECT
2025-04-24 09:24:31.971 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/wp-content/themes/platformpro/css/dynamic.css?ver=153-012512144213 DIRECT
2025-04-24 09:24:31.980 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/?mcsf_action=main_css&ver=3.5.1 DIRECT
// ... more of the same ...
2025-04-24 09:24:32.247 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/wp-content/plugins/wp-email/email-css.css?ver=2.67.2 DIRECT
2025-04-24 09:24:32.248 [debug] [Extension Host] ProxyResolver#resolveProxy cached https://fonts.googleapis.com/css?family=Noto+Sans%3A400italic%2C700italic%2C400%2C700%7CNoto+Serif%3A400italic%2C700italic%2C400%2C700%7CInconsolata%3A400%2C700&subset=latin%2Clatin-ext DIRECT
2025-04-24 09:24:32.248 [trace] [Extension Host] ProxyResolver#tls.connect [{"session":"[object Object]","_events":"[object Object]","_eventsCount":3,"uri":"[object Object]","method":"GET","readable":true,"writable":true,"explicitMethod":true,"_qs":"[object Object]","_auth":"[object Object]","_oauth":"[object Object]","_multipart":"[object Object]","_redirect":"[object Object]","_tunnel":"[object Object]","_rp_resolve":"[Function: ]","_rp_reject":"[Function: ]","_rp_promise":"[object Object]","callback":"[Function: ]","_rp_options":"[object Object]","headers":"[object Object]","setHeader":"[Function: ]","hasHeader":"[Function: ]","getHeader":"[Function: ]","removeHeader":"[Function: ]","pool":"[object Object]","dests":"","__isRequestRequest":true,"_callback":"[Function: ]","proxy":"null","tunnel":true,"setHost":true,"_disableCookies":true,"port":443,"host":"fonts.googleapis.com","path":"null","httpModule":"[object Object]","agentClass":"[Function: Agent]","agent":"[object Object]","_started":true,"href":"https://fonts.[185 chars]","ca":"[188 certs]","_defaultAgent":"[object Object]","lookupProxyAuthorization":"[Function: bound jz]","noDelay":true,"servername":"fonts.googleapis.com","secureEndpoint":true,"keepAlive":true,"scheduling":"lifo","timeout":5000,"_agentKey":"fonts.googl[284590 chars]","encoding":"null","keepAliveInitialDelay":1000}]
2025-04-24 09:24:32.257 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/wp-content/themes/twentyfifteen/genericons/genericons.css?ver=3.2 DIRECT
2025-04-24 09:24:32.258 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/wp-content/themes/twentyfifteen/style.css?ver=4.9.10 DIRECT
2025-04-24 09:24:32.260 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/wp-content/plugins/cforms/styling/minimal.css DIRECT
2025-04-24 09:24:32.277 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/?mcsf_action=main_css&ver=3.5.1 DIRECT
// ... more of the same ...
2025-04-24 09:24:33.431 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/?mcsf_action=main_css&ver=3.3.1 DIRECT
2025-04-24 09:24:33.432 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/wp-content/themes/platformpro/pro/pro.css?ver=153-090411211717 DIRECT
2025-04-24 09:24:33.434 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/wp-content/themes/platformbase/style.css?ver=131-02281140501 DIRECT
2025-04-24 09:24:33.435 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/wp-content/plugins/wp-email/email-css.css?ver=2.50 DIRECT
2025-04-24 09:24:33.437 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/wp-content/plugins/cforms/styling/minimal.css DIRECT
2025-04-24 09:24:33.439 [debug] [Extension Host] ProxyResolver#resolveProxy cached hxxp://REDACTED_VICTIM_SITE/wp-content/themes/platformpro/css/dynamic.css?ver=153-012512144213 DIRECT
// ... and finally:
2025-04-24 09:24:34.866 [info] [Extension Host] Eager extensions activated

This pattern continued by the thousands.

The network monitor revealed an even more shocking scale:

Image

  • 1,107,045 connections allowed.
  • 574,587 denied.

Confirming the Source of the Problem

Unfortunately, the traces and debug logs do not provide clear attribution to the originating extension or code.

We conducted an extension bisect — nearly working through all ~140 installed extensions — to finally determine the culprit. Once identified, the cause became obvious.

To confirm the extension was indeed the source of the problem, we simply toggled it from enabled to disabled a handful of times — each time, immediately being met with a burst of traffic.

Explanation and Suspected Cause

The extension, as described in its documentation, is designed to scan HTML and template files for CSS class names to offer intelligent completions based on detected values.

Our investigation revealed that the extension was silently crawling these files without any of them being opened or interacted with whatsoever. It parsed their contents and attempted to fetch styles from each URL it found — though this behavior does not appear to be documented, based on our cursory review.

Considering our previously shared project context, due to the way the sites are configured — with aggressive redirects to additional domains owned by the attacker — this effectively triggered an endless loop.

One would expect some kind of throttling mechanism to prevent this. An internal mechanism for detecting such extreme traffic would be beneficial, and should really be implemented in VS Code directly, so that extensions aren't prone to this kind of behavior, whether accidental or otherwise.

Highlighting the Risk

To put this in perspective and illustrate the significant threat this represents — albeit under an exceptionally particular set of circumstances — consider the following:

In our investigation, we observed that the extension:

  • Scans all HTML files in the workspace, regardless of whether they are open, modified, or even recently accessed.
  • Parses those files for any external URLs — commonly found in, e.g., <link rel="stylesheet"> tags.
  • Initiates network requests to each URL, without any rate limiting, validation, or caching, seemingly throttled only by the capabilities of the underlying system.
  • Performs these fetches upon loading of the window, not just on file interaction
  • Generated 99,021 outbound HTTP requests in 47 seconds, with no user interaction

Given that this extension has approximately 8.9 MILLION users according to the Visual Studio Marketplace statistics, we can infer the following based on our network logs and the observed connection rate:

Impact Metrics

  • Total Requests: 77,224
  • Duration: 47.0 seconds
  • Average Rate: 1,643.1 requests/second
  • Potential Load at Scale (if 1% of 8.9M users affected): 146,232,681 requests/second

For added emphasis, while testing to confirm the extension to be the source of this extreme traffic, and reloading the VS Code UI multiple times (which seems to trigger these bursts), the sheer velocity and magnitude of the requests actually crashed Little Snitch. For a well-regarded commercial firewall application to be overwhelmed in this manner is deeply concerning.

As a final note: Our initial investigation into the actors responsible for these types of attacks (the poached domains and referral scams) has already uncovered approximately 50 additional clones they've deployed — all packaging the same shady Thai casino referral scams, proliferated through stolen SEO.

If there is any interest in further clarification, or a more detailed investigation, we would be happy to help.

This report was submitted by Blockmage Ltd as part of our ongoing efforts to improve cybersecurity awareness across the ecosystem.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@BlockMageSec