- Malicious VS Code extension ‘susvsex’ acted as ransomware and used GitHub for command control
- The extension appeared generated by AI, with embedded decryption keys and suspicious metadata
- Microsoft removed it after public pressure, raising concerns about gaps in the market review.
A malicious extension was published on Microsoft’s official VS Code marketplace and was able to remain there for some time collecting downloads and infecting people’s computers.
Security researcher John Tuckner of Secure Annex found and reported the extension to Microsoft, noting that the extension functioned as ransomware and, to make matters worse, made it “blatantly malicious” by stating, in the description, exactly what it does: “VS Code extension that automatically compresses, uploads and encrypts files from C:UsersPublictesting on Windows.”
He also explained that the extension, called ‘susvsex’, used GitHub as a command and control channel and was obviously coded in vibrate (written with the help of AI and natural language prompts instead of lines of code). Some of the evidence that the extension was generated by AI included that the developer left decryption tools and keys in the extension package.
Vibe-encrypted malware
“Many of these values have comments indicating that the code was not written directly by the editor and most likely generated through AI,” Tuckner added.
Since the code’s metadata pointed to a GitHub user in Baku, the researcher speculated that the attacker is located in Azerbaijan. beepcomputer He also argued that the extension, since it was obviously malicious, could have just been a test of Microsoft’s Visual Studio Marketplace review process, in preparation for a more sinister and better obfuscated attack.
Ironically, Microsoft initially ignored Tuckner’s report and did not remove it from the VS Code registry. About eight hours after the blog post was published, Tuckner posted a tweet saying, “Tried. Still no ‘Report Abuse’ response listed in the marketplace. Extension still available.”
However, it appears that Microsoft has responded in the meantime, as the extension’s URL now leads to the “404 – Page Not Found” site.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
