- VS Code malicious extension “susvsex” acted as ransomware and used GitHub for order control
- The extension appears to be AI-generated, with embedded decryption keys and suspicious metadata
- Microsoft removed it under public pressure, raising concerns about shortcomings in market assessment.
A malicious extension was published on Microsoft’s official VS Code marketplace and was able to stay there for some time, gathering downloads and infecting users’ computers.
Security researcher John Tuckner of Secure Annex found and reported the extension to Microsoft, noting that the extension functioned like ransomware and, to make matters worse, made it “obviously malicious” by stating, in the description, exactly what it does: “VS Code extension that automatically compresses, downloads, and encrypts files from C:UsersPublictesting on Windows.” »
He also explained that the extension, called “susvsex”, used GitHub as a command and control channel and was obviously ambient coded (written using AI and natural language prompts instead of lines of code). Some of the evidence for the AI-generated extension includes the fact that the developer left decryption tools and keys in the extension package.
Malware encoded by Vibe
“Many of these values have comments that indicate the code was not written directly by the publisher and most likely generated via AI,” Tuckner added.
Since the code’s metadata pointed to a GitHub user in Baku, the researcher speculated that the attacker was in Azerbaijan. BeepComputer also argued that the extension, given that it was obviously malicious, might have been just a test of Microsoft’s Visual Studio Marketplace review process, in preparation for a more sinister and better-concealed attack.
Ironically, Microsoft initially ignored Tuckner’s report and did not remove it from the VS Code registry. About eight hours after the blog post was published, Tuckner posted a tweet saying “I tried. No responses from ‘Report Abuse’ on the marketplace listing yet. The extension is still available.”
However, it seems that Microsoft has responded in the meantime since the URL of the extension now leads to a “404 – Page not found” site.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
