Cybersecurity experts have identified a malicious extension for Visual Studio Code (VS Code) that exhibits basic ransomware features. This extension, named “susvsex,” was flagged by researcher John Tuckner from Secure Annex. Interestingly, it appears to be crafted using artificial intelligence, a phenomenon referred to as ‘vibe-coded.’
Overview of the Malicious Extension
Uploaded on November 5, 2025, by a user known as “suspublisher18,” the extension carried a vague description stating, “Just testing.” The email linked to the extension suggests a lack of sincerity, using the address “[email protected].”
The primary function of the susvsex extension is to automate the zipping, uploading, and encryption of files. It targets the Windows directory C:UsersPublictesting or the macOS directory /tmp/testing upon the first launch, rendering it a potential threat to user data.
Functionality and Activation
The extension is designed to activate under various conditions, including whenever VS Code is launched or the extension is installed. It uses a function named “zipUploadAndEncrypt,” which creates a ZIP file from a specified directory, sends it to a remote server, and then encrypts the original files.
Response from Microsoft
Following these revelations, Microsoft took swift action on November 6, 2025, removing the susvsex extension from its official VS Code Extension Marketplace.
Details of the Malicious Mechanism
- The extension reaches out to a private GitHub repository for commands.
- Extracted commands are executed, and the results are sent back to the same repository.
- The GitHub repository is associated with a user claiming to be from Baku, Azerbaijan.
Tuckner highlights additional elements indicative of vibe-coded malware, including comprehensive comments within the code and excessive placeholder variables. Moreover, the extension inadvertently contained decryption tools and command-and-control (C2) code, posing further risks.
Related Threats in the Ecosystem
In a separate but concerning development, Datadog Security Labs uncovered 17 npm packages posing as legitimate software development kits. These packages stealthily deployed Vidar Stealer on compromised systems, marking a significant advance in malware distribution via the npm registry.
Timeline of Discovery
- Initial discovery of compromised packages: October 21, 2025
- Subsequent uploads documented: October 22 and October 26, 2025
Details of the Compromised Packages
The npm packages included names such as:
- abeya-tg-api
- bael-god-api
- custom-telegram-bot-api
- telegram-bot-starter
- (and several others)
Though the accounts responsible have been banned, these packages were downloaded over 2,240 times before removal.
Attack Mechanism Description
The attack chain typically triggers during the post-install phase. It utilizes a script in the “package.json” file to download a ZIP file containing the malicious software from a rogue server. The Vidar executable is then initiated, alongside scripts that could further complicate detection.
Given the rise in supply chain attacks targeting open-source platforms, developers are urged to practice vigilance. Regularly reviewing changelogs and being cautious of potential malware tactics can safeguard against these threats.
