- A malicious Visual Studio Code extension with Ransomware features was released using AI-generated code.
- The extension encrypts, zips, and uploads files from a test directory and uses GitHub for command-and-control functions.
- Datadog Security Labs identified 17 npm packages distributing the Vidar information stealer.
- These npm packages executed Vidar through post-install scripts, using Telegram and Steam accounts as dead drops for command-and-control servers.
- Supply chain attacks continue to target open-source registries, emphasizing the need for developer caution.
A Visual Studio Code (VS Code) extension named “susvsex” with built-in ransomware capabilities was uploaded on November 5, 2025. The extension, created with apparent assistance from Artificial Intelligence, automatically compresses, uploads, and encrypts files from designated test directories on Windows and macOS systems. John Tuckner, a security researcher at Secure Annex, flagged the extension, which was quickly removed by Microsoft from the official VS Code Marketplace on November 6. More details on the extension can be found in Tuckner’s report and on the marketplace page.
The Malware activates upon specific VS Code events, leveraging a function called “zipUploadAndEncrypt” that archives the target directory, uploads it to a remote server, and replaces files with encrypted versions. The current configuration targets a staging directory, limiting immediate damage. The extension communicates with a private GitHub repository using embedded access tokens, polling for commands in an “index.html” file and submitting results to “requirements.txt.” The repository’s owner, linked to the GitHub account “aykhanmv,” reportedly resides in Baku, Azerbaijan.
Meanwhile, Datadog Security Labs uncovered 17 malicious npm packages disguised as benign software development kits that deliver the Vidar info-stealing malware. These packages, uploaded by users “aartje” and “saliii229911,” were first detected on October 21, 2025, and were removed after about 2,240 downloads. The full list of package names is available in their disclosure.
The attack involves a post-install script in the package.json file that downloads a ZIP archive from a domain linked to malicious activity and runs the Vidar executable within it. Some variants use PowerShell commands embedded in the package.json to initiate the download before passing control to JavaScript code. Vidar 2.0 samples utilize hard-coded Telegram and Steam accounts as dead drop points to locate the command-and-control servers.
Security researchers Tesnim Hamdouni, Ian Kretz, and Sebastian Obregoso noted the variation in post-install scripts might help evade detections, as outlined in their analysis. This case adds to a series of supply chain attacks targeting open-source platforms like npm, PyPI, RubyGems, and Open VSX, underscoring the importance of vetting dependencies, reviewing changelogs, and monitoring for typosquatting or dependency confusion prior to installation.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Microsoft President Sells $20M Shares Amid 5% Stock Drop
- Tesla OKs Musk’s $1T Pay; Eyes SpaceX IPO, Shareholder Access
- Seven Crypto Firms Unite to Standardize Crosschain Stablecoin Transfers
- KuCoin Introduces Hold to Earn Feature: Passive Income Without Locking Assets
- Tesla Shareholders Approve Elon Musk’s $1 Trillion Pay Plan
