Loophole allows threat actors to claim VS Code extension names

Description

A loophole in VS Code Marketplace allows malicious actors to reuse names of removed extensions. ReversingLabs discovered this vulnerability after finding a malicious extension with the same name as one previously identified. The platform's documentation states that extension names must be unique, but removed extensions' names can be reused. This poses a risk of threat actors publishing malicious extensions under previously legitimate names. The research team conducted experiments to confirm this vulnerability, successfully publishing extensions with names of removed packages. This technique has been observed in other open-source platforms like PyPI. The discovery highlights the increasing popularity of VS Code Marketplace among malicious actors and the need for developers to be vigilant about package security.