Malicious AI-made extension with ransomware capabilities sneaks on to Microsoft's official VS Code marketplace - so devs beware

News
By published

It dwelled there for a little while

Ransomware
(Image credit: Pixabay)
  • Malicious VS Code extension ‘susvsex’ acted as ransomware and used GitHub for command control
  • Extension appeared AI-generated, with embedded decryption keys and suspicious metadata
  • Microsoft removed it after public pressure, raising concerns about marketplace review gaps

A malicious extension was published on Microsoft’s official VS Code marketplace, and was able to remain there for some time gathering downloads and infecting people’s computers.

Security researcher John Tuckner from Secure Annex found and reported the extension to Microsoft, noting the extension worked as ransomware and to make matters worse, made it “blatantly malicious” by stating, in the description, exactly what it does: “VS Code extension that automatically zips, uploads, and encrypts files from C:\Users\Public\testing on Windows.”

He also explained that the extension, called ‘susvsex’, utilized GitHub as a command-and-control channel and that it was obviously vibe-coded (written with the help of AI and natural language prompts instead of throughlines of code). Some of the evidence of the extension being AI generated included the developer leaving decryption tools and keys in the extension package.

Vibe coded malware

“Many of these values have comments which indicate that the code was not written directly by the publisher and very likely generated through AI,” Tuckner added.

Since the metadata in the code pointed to a GitHub user in Baku, the researcher speculated that the attacker is located in Azerbaijan. BleepingComputer also argued that the extension, since it was so obviously malicious, could have been just a test of Microsoft’s Visual Studio Marketplace’s review process, in preparation of a more sinister, better obfuscated attack.

Ironically enough, Microsoft at first ignored Tuckner’s report and did not remove it from the VS Code registry. Roughly eight hours after the blog post was published, Tuckner posted a tweet, saying “I tried. No response from 'Report abuse' on the marketplace listing yet. Extension is still available.”

However, it seems that Microsoft did respond in the meantime, since the extension’s URL now leads to a “404 - Page not found” site.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.