Cybersecurity agency ReversingLabs (RL) has detected a complicated, long-running marketing campaign concentrating on builders on the Visible Studio Code (VS Code) Market. In complete, 19 malicious extensions have been discovered hiding a Trojan, with the marketing campaign energetic since February 2025 and found on December 2.
On your info, VS Code is a key instrument for a lot of builders, making its Market, the place extensions (add-on options) are distributed, a chief goal for cybercriminals. These findings got here simply a few weeks after a faux “Prettier” extension on the identical market was noticed dropping Anivia Stealer.
The Dependency Trick
In response to RL Risk Researcher Petar Kirhmajer, the attackers used a traditional Trojan approach the place malicious software program is disguised as one thing innocent. On this case, the malware was hidden inside an extension’s dependency folder, which is a vital pre-packaged code an extension must run easily.
Attackers made a wise transfer. As an alternative of including new code, they tampered with a extremely widespread, trusted dependency known as path-is-absolute, which has gathered over 9 billion downloads since 2021.
By modifying this trusted bundle earlier than bundling it into their rogue extensions, they added new code. This new code’s solely job was to run instantly upon VS Code startup and decode a JavaScript dropper hidden in an inner file named lock. Which means customers who blindly trusted the favored title within the dependency record wouldn’t discover something regarding.
A Pretend PNG File
The ultimate and most misleading stage concerned a file named banner.png. Though the .png extension suggests a typical picture file, RL researchers famous that it was merely a disguise. When making an attempt to open it with a traditional photograph viewer, it confirmed an error message.
Additional investigation revealed that banner.png was not a picture however an archive containing two malicious binaries (the core elements of the malware). The decoded dropper then used the native Home windows instrument cmstp.exe to launch these binaries. The bigger of the 2 is a posh Trojan, although its actual assault capabilities are nonetheless beneath evaluate.
It’s value noting that a number of different malicious extensions within the marketing campaign used a special dependency (@actions/io) and didn’t depend on the faux PNG file, splitting the binaries into separate .ts and .map recordsdata as an alternative.
This analysis, revealed on December 10, 2025, and shared with Hackread.com, reveals a speedy enhance in threats. Within the first ten months of 2025, malicious VS Code detections nearly quadrupled, rising from 27 in 2024 to 105 this 12 months.
Researchers confirmed that each one of many flagged extensions has been reported to Microsoft. Builders are urged to totally examine extensions, particularly these with low downloads or few opinions, earlier than set up.
