Malicious VS Code Extension and Trojanized npm Packages Target Developers
Cybersecurity researchers have recently uncovered a malicious Visual Studio Code (VS Code) extension exhibiting basic ransomware capabilities and a cluster of trojanized npm packages distributing the Vidar Stealer. These discoveries highlight the increasing threat of supply chain attacks targeting developers and the open-source ecosystem.
Key Takeaways:
- A malicious VS Code extension with ransomware capabilities was discovered, seemingly created with the help of AI.
- The extension, named "susvsex," automatically zips, uploads, and encrypts files from specific directories.
- It uses GitHub as a command-and-control (C2) server, polling a private repository for commands.
- 17 trojanized npm packages were found distributing the Vidar Stealer, marking the first time the infostealer has been distributed via the npm registry.
- The packages were downloaded over 2,240 times before being taken down.
- The attack chain involves a postinstall script that downloads and executes the Vidar executable.
- These incidents underscore the importance of developers performing due diligence when installing packages and extensions.
Malicious VS Code Extension "susvsex"
The malicious VS Code extension, dubbed "susvsex," was flagged by Secure Annex researcher John Tuckner. Uploaded by a user named "suspublisher18," the extension’s description indicated its intent to automatically zip, upload, and encrypt files from specific directories on both Windows and macOS systems. Fortunately, the targeted directory was a test staging area, limiting its immediate impact. However, researchers noted that the targeted directory could be easily updated through a command sent through a C2 channel. Microsoft has since removed the extension from the official VS Code Extension Marketplace.
The extension’s functionality is triggered automatically upon installation or VS Code launch, invoking a function that archives a target directory, exfiltrates the archive to a remote server, and encrypts the original files. The code also contained extraneous comments and execution instructions, indicating it may have been created using AI. The developer even accidentally included decryption tools, command-and-control server code, and GitHub access keys to the C2 server within the package.
GitHub as Command-and-Control
Besides encrypting files, the "susvsex" extension utilizes GitHub as a command-and-control (C2) server. It polls a private GitHub repository for new commands by parsing the "index.html" file. The results of the command execution are then written back to the same repository in the "requirements.txt" file using a GitHub access token embedded in the code. The GitHub account associated with the repository, belonging to a developer claiming to be from Baku, Azerbaijan, remains active.
Trojanized npm Packages Drop Vidar Infostealer
Datadog Security Labs discovered 17 npm packages designed to deliver the Vidar Stealer. These packages masquerade as benign software development kits (SDKs) and provide the advertised functionality, while simultaneously installing and executing the Vidar Stealer on infected systems. This incident marks the first instance of Vidar being distributed through the npm registry.
The packages, published by accounts named "aartje" and "saliii229911," were first flagged in late October 2025. They include names like "abeya-tg-api," "bael-god-admin," and "cursor-ai-fork," among others. While the accounts have been banned, the malicious packages were downloaded at least 2,240 times.
Attack Chain and Vidar Stealer
The attack chain is initiated via a postinstall script specified in the "package.json" file. This script downloads a ZIP archive from an external server and executes the Vidar executable contained within. The Vidar 2.0 samples utilize hard-coded Telegram and Steam accounts as dead drop resolvers to retrieve the actual C2 server. Some variants use a post-install PowerShell script, embedded directly in the package.json file, to download the ZIP archive, followed by a JavaScript file to complete the attack.
Researchers noted the variations in the postinstall scripts and suggest that "diversifying implementations can be advantageous to the threat actor in terms of surviving detection."
Implications and Recommendations
These discoveries underscore the growing threat of supply chain attacks targeting the open-source ecosystem. Developers are increasingly targeted through malicious packages and extensions distributed via popular repositories like npm, PyPI, RubyGems, and Open VSX. Therefore, it is crucial that developers perform due diligence before installing packages, including:
- Reviewing changelogs and release notes.
- Verifying the publisher and package reputation.
- Examining the package’s dependencies.
- Watching out for techniques like typosquatting and dependency confusion.