The most recent wave additionally mimics extensively used developer instruments to maximise set up possibilities. “The extensions overwhelmingly impersonate extensively put in developer utilities: linters and formatters like ESLint and Prettier, code runners, standard language tooling for Angular, Flutter, Python, and Vue, and customary quality-of-life extensions like vscode-icons, WakaTime, and Higher Feedback,” the researchers mentioned. “Notably, the marketing campaign additionally targets AI developer tooling, with extensions focusing on Claude Code, Codex, and Antigravity.”
The researchers added that as of March 13, Open VSX has eliminated the vast majority of the transitively malicious extensions, but a number of stay reside, indicating ongoing takedowns.
Socket printed indicators of compromise (IOCs) tied to the marketing campaign, together with the names of dozens of malicious Open VSX extensions and related writer accounts believed to be linked to the operation. Moreover, the researchers suggest treating extension dependencies with the identical scrutiny sometimes utilized to software program packages. Organizations ought to monitor extension updates, audit dependency relationships, and limit set up to trusted publishers the place potential, as attackers more and more exploit the developer tooling ecosystem as a supply-chain entry level.
