Vibe-coded Malicious Vs Code Extension Found With Built-in...
Cybersecurity researchers have flagged a malicious Visual Studio Code (VS Code) extension with basic ransomware capabilities that appears to be created with the help of artificial intelligence – in other words, vibe-coded.
Secure Annex researcher John Tuckner, who flagged the extension "susvsex," said it does not attempt to hide its malicious functionality. The extension was uploaded on November 5, 2025, by a user named "suspublisher18" along with the description "Just testing" and the email address "donotsupport@example[.]com."
"Automatically zips, uploads, and encrypts files from C:\Users\Public\testing (Windows) or /tmp/testing (macOS) on first launch," reads the description of the extension. As of November 6, Microsoft has stepped in to remove it from the official VS Code Extension Marketplace.
According to details shared by "suspublisher18," the extension is designed to automatically activate itself on any event, including installing or when launching VS Code, and invoke a function named "zipUploadAndEncrypt," which creates a ZIP archive of a target directory, exfiltrates it to a remote server, and replaces the files with their encrypted versions.
"Fortunately, the TARGET_DIRECTORY is configured to be a test staging directory so it would have little impact right now, but is easily updated with an extension release or as a command sent through the C2 channel covered next," Tuckner said.
Besides encryption, the malicious extension also uses GitHub as command-and-control (C2) by polling a private GitHub repository for any new commands to be executed by parsing the "index.html" file. The results of the command execution are written back to the same repository in the "requirements.txt" file using a GitHub access token embedded in the code.
The GitHub account associated with the repository – aykhanmv – continues to be active, with the developer claiming to be from the city of Baku, Azerbaijan.
"Extraneous comments which detail functionality, README files with execution instructions, and placeholder variables are clear signs of 'vibe-coded' malware," Tuckner said. "The extension package accidentally included decryption tools, command and control server code, GitHub access keys to the C2 server, which other people could use to take over the C2."
The disclosure comes as Datadog Security Labs unearthed 17 npm packages that masquerade as benign software development kits (SDKs) and provide the advertised functionality, but are engineered to stealthily exe
Source: The Hacker News
