Loading
Yanuki
ARTICLE DETAIL
Malicious VS Code Extension and NPM Packages Target Developers | Drone Strikes on AWS: A Wake-Up Call for Cloud Resilience | Conduent Data Breach Balloons, Affecting Millions of Americans | JS#SMUGGLER Campaign Deploys NetSupport RAT via Compromised Websites | Lazarus APT Remote-Worker Scheme Captured Live | Salesforce Data Breach Impacts Over 200 Companies Via Gainsight | 7-Zip RCE Vulnerability (CVE-2025-11001) Under Active Exploitation | SentinelOne’s AI Partnerships: Redefining Cloud Security? | Ukraine Phishing Campaign and Cisco Firewall Vulnerabilities | Malicious VS Code Extension and NPM Packages Target Developers | Drone Strikes on AWS: A Wake-Up Call for Cloud Resilience | Conduent Data Breach Balloons, Affecting Millions of Americans | JS#SMUGGLER Campaign Deploys NetSupport RAT via Compromised Websites | Lazarus APT Remote-Worker Scheme Captured Live | Salesforce Data Breach Impacts Over 200 Companies Via Gainsight | 7-Zip RCE Vulnerability (CVE-2025-11001) Under Active Exploitation | SentinelOne’s AI Partnerships: Redefining Cloud Security? | Ukraine Phishing Campaign and Cisco Firewall Vulnerabilities

Security / Malware

Malicious VS Code Extension and NPM Packages Target Developers

The software development ecosystem is facing increased threats from malicious actors. Recent incidents involve a VS Code extension with ransomware capabilities and NPM packages distributing information-stealing malware, highlighting the imp...

Vibe-Coded Malicious VS Code Extension Found with Built-In Ransomware Capabilities
Share
X LinkedIn

cybersecurity news today
Malicious VS Code Extension and NPM Packages Target Developers Image via The Hacker News

Key Insights

  • A malicious VS Code extension named 'susvsex' was found on the official marketplace with built-in ransomware capabilities. It was quickly removed after being flagged.
  • The extension, seemingly created with AI assistance ('vibe-coded'), exfiltrates and encrypts files.
  • 17 trojanized NPM packages were discovered distributing the Vidar Stealer, marking the first time this infostealer has been spread via the NPM registry.
  • These packages were downloaded at least 2,240 times before being taken down, though many downloads may have been automated.

In-Depth Analysis

### VS Code Extension with Ransomware A researcher discovered a VS Code extension ('susvsex') that openly advertised its malicious intent. The extension was designed to zip, upload, and encrypt files from specific directories on Windows and macOS systems upon installation or launch. It also used a private GitHub repository for command-and-control (C2) operations. The developer inadvertently included decryption tools and C2 server code, making it easier to analyze and potentially counter the threat.

### Trojanized NPM Packages Datadog Security Labs identified 17 NPM packages designed to execute the Vidar Stealer on infected systems. The attack chain involves a post-install script that downloads a ZIP archive from an external server and executes the Vidar executable. Some variants used PowerShell scripts to download the ZIP archive, followed by a JavaScript file to complete the attack. This discovery highlights the need for developers to scrutinize package contents and post-install scripts carefully.

### How to Prepare * **Verify Package Integrity:** Always check the publisher and maintainer reputation before installing any VS Code extension or NPM package. * **Review Changelogs:** Carefully examine changelogs for any unusual or unexpected changes. * **Use Package Scanners:** Implement automated tools to scan for malicious code in dependencies. * **Limit Permissions:** Configure development environments with the least necessary privileges.

### Who This Affects Most Software developers, DevOps engineers, and organizations that rely on open-source components are most vulnerable to these types of attacks. The impact can range from data theft and system compromise to supply chain contamination, affecting downstream users of the compromised software.

Read source article

FAQ

What is a supply chain attack?

A supply chain attack targets vulnerabilities in the software development and distribution process to compromise systems or data.

How can I protect myself from malicious packages?

Verify package integrity, review changelogs, use package scanners, and limit permissions in your development environment.

Takeaways

  • Supply chain attacks are becoming increasingly common and sophisticated. Developers should exercise caution when installing third-party extensions and packages, and organizations should implement robust security measures to detect and prevent these attacks. Key actions include verifying package integrity, reviewing changelogs, and using automated package scanners.

Discussion

Do you think the software development community is doing enough to combat supply chain attacks? Share your thoughts in the comments below!

Share this article with others who need to stay ahead of this trend!

Sources

Vibe-Coded Malicious VS Code Extension Found with Built-In Ransomware Capabilities AI-Slop ransomware test sneaks on to VS Code marketplace VSCode Extension Secrets, RediShell, & Living-off-the-LLM

Disclaimer

This article was compiled by Yanuki using publicly available data and trending information. The content may summarize or reference third-party sources that have not been independently verified. While we aim to provide timely and accurate insights, the information presented may be incomplete or outdated.

All content is provided for general informational purposes only and does not constitute financial, legal, or professional advice. Yanuki makes no representations or warranties regarding the reliability or completeness of the information.

This article may include links to external sources for further context. These links are provided for convenience only and do not imply endorsement.

Always do your own research (DYOR) before making any decisions based on the information presented.

Related Stories

Security / Outages

Drone Strikes on AWS: A Wake-Up Call for Cloud Resilience

Recent drone strikes on Amazon Web Services (AWS) data centers in the Middle East have exposed critical vulnerabilities in cloud infrastructure, prompting a reassessment of resilience strategies and security protocols.

Iranian drone strikes on Amazon data centers highlight tech’s exposure

Security / Data Breach

Conduent Data Breach Balloons, Affecting Millions of Americans

A significant data breach at Conduent, a government technology giant, has come to light, revealing that it affects millions more Americans than initially reported. The January 2025 ransomware attack, which severely disrupted Conduent's oper...

Data breach at govtech giant Conduent balloons, affecting millions more Americans

Cybersecurity / Cyber Attacks

JS#SMUGGLER Campaign Deploys NetSupport RAT via Compromised Websites

Cybersecurity researchers have uncovered a sophisticated campaign named JS#SMUGGLER that leverages compromised websites to distribute the NetSupport RAT (Remote Access Trojan). This multi-stage attack grants cybercriminals extensive control...

Experts Confirm JS#SMUGGLER Uses Compromised Sites to Deploy NetSupport RAT

Cybersecurity / Threat Intelligence

Lazarus APT Remote-Worker Scheme Captured Live

A joint investigation has uncovered North Korea's Lazarus Group's infiltration scheme using remote IT workers. Researchers captured operators live, revealing their tactics on controlled sandbox environments, highlighting a sophisticated met...

Researchers Capture Lazarus APT's Remote-Worker Scheme Live on Camera

Security / Data Breach

Salesforce Data Breach Impacts Over 200 Companies Via Gainsight

A significant data breach has impacted over 200 companies using Salesforce, stemming from a vulnerability in apps published by Gainsight, a customer support platform provider. This supply chain attack highlights the increasing risks associa...

Salesforce says customer data possibly exposed following incident

Vulnerabilities / Exploits

7-Zip RCE Vulnerability (CVE-2025-11001) Under Active Exploitation

A remote code execution (RCE) vulnerability in 7-Zip, identified as CVE-2025-11001, is actively being exploited in the wild. This flaw allows attackers to execute arbitrary code on affected systems. It is crucial to update 7-Zip to version...

Hackers Actively Exploiting 7-Zip Symbolic Link–Based RCE Vulnerability (CVE-2025-11001)

Security / Security Platforms

SentinelOne’s AI Partnerships: Redefining Cloud Security?

SentinelOne is strengthening its position in cloud security through strategic AI partnerships and innovative integrations. By focusing on agentic security and autonomous solutions, SentinelOne aims to streamline security operations and prov...

Will SentinelOne's (S) New AI Partnerships Redefine Its Competitive Edge in Cloud Security?

Cyber Attacks / Vulnerabilities

Ukraine Phishing Campaign and Cisco Firewall Vulnerabilities

This article summarizes two critical cybersecurity updates: a phishing campaign targeting Ukrainian entities and newly discovered vulnerabilities in Cisco firewalls. Stay informed to protect your systems and data.

Trojanized ESET Installers Drop Kalambur Backdoor in Phishing Attacks on Ukraine