Cybersecurity agency ReversingLabs (RL) has detected a classy, long-running marketing campaign concentrating on builders on the Visible Studio Code (VS Code) Market. In whole, 19 malicious extensions had been discovered hiding a Trojan, with the marketing campaign lively since February 2025 and found on December 2.
In your data, VS Code is a key device for a lot of builders, making its Market, the place extensions (add-on options) are distributed, a primary goal for cybercriminals. These findings got here simply a few weeks after a faux “Prettier” extension on the identical market was noticed dropping Anivia Stealer.
The Dependency Trick
In accordance with RL Menace Researcher Petar Kirhmajer, the attackers used a basic Trojan method the place malicious software program is disguised as one thing innocent. On this case, the malware was hidden inside an extension’s dependency folder, which is a crucial pre-packaged code an extension must run easily.
Attackers made a sensible transfer. As an alternative of including new code, they tampered with a extremely fashionable, trusted dependency referred to as path-is-absolute, which has gathered over 9 billion downloads since 2021.
By modifying this trusted bundle earlier than bundling it into their rogue extensions, they added new code. This new code’s solely job was to run instantly upon VS Code startup and decode a JavaScript dropper hidden in an inner file named lock. Which means customers who blindly trusted the favored title within the dependency listing wouldn’t discover something regarding.
A Pretend PNG File
The ultimate and most misleading stage concerned a file named banner.png. Though the .png extension suggests a typical picture file, RL researchers famous that it was merely a disguise. When trying to open it with a standard picture viewer, it confirmed an error message.
Additional investigation revealed that banner.png was not a picture however an archive containing two malicious binaries (the core elements of the malware). The decoded dropper then used the native Home windows device cmstp.exe to launch these binaries. The bigger of the 2 is a posh Trojan, although its actual assault capabilities are nonetheless below evaluation.
It’s price noting that a number of different malicious extensions within the marketing campaign used a distinct dependency (@actions/io) and didn’t depend on the faux PNG file, splitting the binaries into separate .ts and .map recordsdata as an alternative.
This analysis, revealed on December 10, 2025, and shared with Hackread.com, reveals a speedy improve in threats. Within the first ten months of 2025, malicious VS Code detections nearly quadrupled, rising from 27 in 2024 to 105 this 12 months.
Researchers confirmed that each one of many flagged extensions has been reported to Microsoft. Builders are urged to totally examine extensions, particularly these with low downloads or few evaluations, earlier than set up.
