Key Metrics
16.73
Heat Index-
Impact LevelMedium
-
Scope LevelGlobal
-
Last Update2025-11-07
Key Impacts
Positive Impacts (3)
Negative Impacts (3)
Event Overview
The discovery of a malicious extension for Visual Studio Code highlights the growing threat of ransomware within developer tools. The extension, which was not concealed in its intent, points to the increasing sophistication and potential use of AI in creating such threats. This incident underscores the need for enhanced security measures in software development environments.
Collect Records
Malicious VS Code Extension Discovered with Ransomware Capabilities
A malicious Visual Studio Code (VS Code) extension named 'susvsex' was discovered, featuring basic ransomware capabilities. The extension, uploaded on November 5, 2025, by an unknown user, was identified by Secure Annex researcher John Tuckner. It does not conceal its malicious intent and appears to have been created with the help of artificial intelligence. The extension 'suspublisher18,' described as 'Just testing' and associated with the email 'donotsupportexample com,' automatically zips and encrypts files from specific directories on first launch. Microsoft removed it from the official VS Code Extension Marketplace on November 6. A function named `zipUploadAndEncrypt` is triggered during VS Code installation or launch, creating a ZIP archive of a specified test staging directory, uploading it to a remote server, and replacing the original files with encrypted versions. The extension package inadvertently included decryption tools, command and control (C2) server code, and GitHub access keys, which could be exploited by others to take control of the C2.