Cybersecurity researchers have discovered a malicious Visual Studio Code (VS Code) extension that has basic ransomware capabilities. The extension, “susvsex,” was uploaded to the official VS Code Extension Marketplace on November 5, 2025, by a user named “suspublisher18.” Researchers found that the extension does not attempt to hide its malicious functionality and can automatically zip, upload, and encrypt files from a public directory.
The extension uses GitHub as a command-and-control (C2) server, polling a private repository for new commands. It also includes decryption tools and access keys to the C2 server, making it easy for others to take over. The extension was removed from the marketplace by Microsoft on November 6, 2025.
Another attack vector involves malicious npm packages that have been engineered to steal sensitive information, known as Vidar Stealer. These packages were published by accounts called “aartje” and “saliii229911” and downloaded at least 2,240 times before being banned. The attack chain is straightforward, involving a postinstall script that downloads a ZIP archive and executes the Vidar executable.
Developers are urged to perform due diligence when installing packages, reviewing changelogs, and watching out for techniques like typosquatting and dependency confusion. This discovery highlights the importance of ensuring security in the open-source ecosystem.
Source: https://thehackernews.com/2025/11/vibe-coded-malicious-vs-code-extension.html