- Malicious VS Code extension ‘susvsex’ acted as ransomware and used GitHub for command control
- Extension appeared AI-generated, with embedded decryption keys and suspicious metadata
- Microsoft removed it after public pressure, raising concerns about marketplace review gaps
A malicious extension was published on Microsoft’s official VS Code marketplace, and was able to remain there for some time gathering downloads and infecting people’s computers.
Security researcher John Tuckner from Secure Annex found and reported the extension to Microsoft, noting the extension worked as ransomware and to make matters worse, made it “blatantly malicious” by stating, in the description, exactly what it does: “VS Code extension that automatically zips, uploads, and encrypts files from C:\Users\Public\testing on Windows.”
He also explained that the extension, called ‘susvsex’, utilized GitHub as a command-and-control channel and that it was obviously vibe-coded (written with the help of AI and natural language prompts instead of throughlines of code). Some of the evidence of the extension being AI generated included the developer leaving decryption tools and keys in the extension package.
Vibe coded malware
“Many of these values have comments which indicate that the code was not written directly by the publisher and very likely generated through AI,” Tuckner added.
Since the metadata in the code pointed to a GitHub user in Baku, the researcher speculated that the attacker is located in Azerbaijan. BleepingComputer also argued that the extension, since it was so obviously malicious, could have been just a test of Microsoft’s Visual Studio Marketplace’s review process, in preparation of a more sinister, better obfuscated attack.
Ironically enough, Microsoft at first ignored Tuckner’s report and did not remove it from the VS Code registry. Roughly eight hours after the blog post was published, Tuckner posted a tweet, saying “I tried. No response from ‘Report abuse’ on the marketplace listing yet. Extension is still available.”
However, it seems that Microsoft did respond in the meantime, since the extension’s URL now leads to a “404 – Page not found” site.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
