- Malicious VS code extension ‘susvsex’ acted as ransomware and used GitHub for command control
- The extension appeared to be AI-generated with embedded decryption keys and suspicious metadata
- Microsoft removed it after public pressure, raising concerns about gaps in marketplace reviews
A malicious extension was published on Microsoft’s official VS Code marketplace and was able to remain there for some time, collecting downloads and infecting people’s computers.
Security researcher John Tuckner of Secure Annex found and reported the extension to Microsoft, noting that the extension acted as ransomware and, to make matters worse, made it “obviously malicious” by stating, in the description, exactly what it does: “VS code extension that automatically zips, uploads, and encrypts files from C:UsersPublictesting on Windows.”
He also explained that the extension, called ‘susvsex’, used GitHub as a command-and-control channel and was naturally vibe-coded (written using AI and natural language prompts instead of continuous lines of code). Some of the evidence that the extension was AI-generated included the developer leaving decryption tools and keys in the extension package.
Vibe coded malware
“Many of these values have comments indicating that the code was not written directly by the publisher and very likely generated through AI,” Tuckner added.
Since the metadata in the code pointed to a GitHub user in Baku, the researcher speculated that the attacker is located in Azerbaijan. Bleeping Computer also argued that the extension, being so obviously malicious, could only have been a test of Microsoft’s Visual Studio Marketplace review process, in preparation for a more sinister, better-obfuscated attack.
Ironically, Microsoft initially ignored Tuckner’s report and did not remove it from the VS Code registry. About eight hours after the blog post was published, Tuckner sent out a tweet saying “I tried. No response from ‘Report Abuse’ on the marketplace list yet. Extension still available.”
However, it seems Microsoft responded in the meantime, as the extension’s URL now leads to a “404 – Page not found” site.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
