Code Red: Malicious VS Code Extension Slips In with Ransomware in Disguise

Updated: November 09, 2025 01:32

Image Source: The Hacker News

A malicious Visual Studio Code extension named “susvsex” was discovered with built-in ransomware capabilities. Uploaded to the official VS Code Marketplace, it could zip, upload, and encrypt user files on launch. Though swiftly removed by Microsoft, the incident raises serious concerns about supply chain security and AI-generated malware.

When Extensions Attack: AI-Crafted VS Code Add-On Packs Ransomware Punch

In a chilling reminder of the growing risks in developer ecosystems, cybersecurity researchers have uncovered a malicious Visual Studio Code extension that contained ransomware-like functionality. The extension, dubbed “susvsex”, was uploaded to the official VS Code Extension Marketplace on November 5, 2025, by a user named “suspublisher18” with the suspicious description “Just testing.”

Key Findings and Critical Takeaways:

Ransomware Behavior Embedded

The extension was designed to automatically zip, upload, and encrypt files from specific directories—C:\Users\Public\testing on Windows and /tmp/testing on macOS—upon first launch.

It activated on any event, including installation or VS Code startup.

AI-Generated and “Vibe-Coded”

Researchers from Secure Annex, including John Tuckner, noted that the extension appeared to be AI-generated, lacking obfuscation or sophisticated evasion techniques.

The term “vibe-coded” was used to describe its rudimentary yet dangerous design.

Microsoft’s Swift Response

Microsoft removed the extension from the marketplace by November 6, just a day after its upload.

The company is now reviewing its extension vetting process to prevent similar threats in the future.

Supply Chain Security Risks

The incident highlights the vulnerabilities in open developer ecosystems, where malicious actors can exploit trust to distribute harmful code.

It underscores the need for stricter code reviews and automated threat detection in extension marketplaces.

Developer Community Alerted

Security experts are urging developers to audit their installed extensions, especially those from unknown publishers.

Organizations are advised to implement extension whitelisting policies and monitor for suspicious behavior.

Proof-of-Concept or Real Threat?

While some believe the extension was a test or proof-of-concept, its ability to encrypt files makes it a serious security concern, regardless of intent.

This breach serves as a wake-up call: even trusted platforms like VS Code are not immune to supply chain attacks. Developers must stay vigilant, and platforms must evolve to meet the AI-era threat landscape.

Sources: The Hacker News, CyberTech Nexus

Stay Ahead – Explore Now! Exploring Venus: ISRO Gathers Nation’s Top Minds Ahead of Shukrayaan 2028 Launch