This article analyzes a malicious Visual Studio Code extension that implements ransomware-like behavior. It highlights how the extension encrypts files, uploads sensitive data, and communicates with a command and control server via a private GitHub repository. The piece questions how such obvious malware passed the marketplace review.

A fake VS Code extension called "ClawdBot Agent" was found to be a trojan that installs malware on Windows machines without user interaction. Although it appeared legitimate, it secretly connected to a remote server to deliver malicious payloads. The investigation reveals sophisticated tactics and multiple layers of redundancy in the attack.

Security researchers identified and removed a fake VSCode extension masquerading as Prettier. The extension was designed to deploy Anivia Stealer malware, but swift action limited its impact to just a handful of users. Developers are warned to be cautious with third-party tools.

North Korean hackers are using malicious Microsoft Visual Studio Code projects to deliver a backdoor that allows remote code execution. By tricking victims into cloning Git repositories and opening them in VS Code, the attackers exploit task configuration files to run harmful JavaScript payloads. This ongoing campaign targets software engineers, particularly in cryptocurrency and fintech sectors.

Two harmful extensions on the Visual Studio Code Marketplace, Bitcoin Black and Codo AI, steal sensitive information from developers' machines. They can capture screenshots, credentials, and hijack browser sessions, and were published under the name 'BigBlack.' Microsoft has since removed both extensions from the marketplace.

AI-driven IDEs like Cursor and Google Antigravity recommend extensions that may not exist in the OpenVSX registry. This gap allows malicious actors to claim unregistered namespaces and potentially distribute malware. Researchers have reported the issue and taken steps to prevent exploitation.

A set of ten malicious VSCode extensions on the Microsoft Visual Studio Code Marketplace has been found to infect users with the XMRig cryptominer for Monero. These extensions masquerade as legitimate tools and execute a PowerShell script to install the malware while also disabling critical Windows security features. Microsoft has since removed the extensions and blocked the publisher from the marketplace.