Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Vibe-Coded Malicious VS Code Extension Found with Built-In Ransomware Capabilities

The Hacker News by The Hacker News
November 7, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Cybersecurity researchers have flagged a malicious Visual Studio Code (VS Code) extension with basic ransomware capabilities that appears to be created with the help of artificial intelligence – in other words, vibe-coded.

Secure Annex researcher John Tuckner, who flagged the extension “susvsex,” said it does not attempt to hide its malicious functionality. The extension was uploaded on November 5, 2025, by a user named “suspublisher18” along with the description “Just testing” and the email address “donotsupport@example[.]com.”

“Automatically zips, uploads, and encrypts files from C:UsersPublictesting (Windows) or /tmp/testing (macOS) on first launch,” reads the description of the extension. As of November 6, Microsoft has stepped in to remove it from the official VS Code Extension Marketplace.

According to details shared by “suspublisher18,” the extension is designed to automatically activate itself on any event, including installing or when launching VS Code, and invoke a function named “zipUploadAndEncrypt,” which creates a ZIP archive of a target directory, exfiltrates it to a remote server, and replaces the files with their encrypted versions.

“Fortunately, the TARGET_DIRECTORY is configured to be a test staging directory so it would have little impact right now, but is easily updated with an extension release or as a command sent through the C2 channel covered next,” Tuckner said.

DFIR Retainer Services

Besides encryption, the malicious extension also uses GitHub as command-and-control (C2) by polling a private GitHub repository for any new commands to be executed by parsing the “index.html” file. The results of the command execution are written back to the same repository in the “requirements.txt” file using a GitHub access token embedded in the code.

The GitHub account associated with the repository – aykhanmv – continues to be active, with the developer claiming to be from the city of Baku, Azerbaijan.

“Extraneous comments which detail functionality, README files with execution instructions, and placeholder variables are clear signs of ‘vibe coded’ malware,” Tuckner said. “The extension package accidentally included decryption tools, command and control server code, GitHub access keys to the C2 server, which other people could use to take over the C2.”

Trojanized npm Packages Drop Vidar Infostealer

The disclosure comes as Datadog Security Labs unearthed 17 npm packages that masquerade as benign software development kits (SDKs) and provide the advertised functionality, but are engineered to stealthily execute Vidar Stealer on infected systems. The development marks the first time the information stealer has been distributed via the npm registry.

The cybersecurity company, which is tracking the cluster under the name MUT-4831, said some of the packages were first flagged on October 21, 2025, with subsequent uploads recorded the next day and on October 26. The names of the packages, published by accounts named “aartje” and “saliii229911,” are below –

  • abeya-tg-api
  • bael-god-admin
  • bael-god-api
  • bael-god-thanks
  • botty-fork-baby
  • cursor-ai-fork
  • cursor-app-fork
  • custom-telegram-bot-api
  • custom-tg-bot-plan
  • icon-react-fork
  • react-icon-pkg
  • sabaoa-tg-api
  • sabay-tg-api
  • sai-tg-api
  • salli-tg-api
  • telegram-bot-start
  • telegram-bot-starter

While the two accounts have since been banned, the libraries were downloaded at least 2,240 times prior to them being taken down. That said, Datadog noted that many of these downloads could likely have been the result of automated scrapers.

CIS Build Kits

The attack chain in itself is fairly straightforward, kicking in as part of a postinstall script specified in the “package.json” file that downloads a ZIP archive from an external server (“bullethost[.]cloud domain”) and execute the Vidar executable contained within the ZIP file. The Vidar 2.0 samples have been found to use hard-coded Telegram and Steam accounts as dead drop resolvers to fetch the actual C2 server.

In some variants, a post-install PowerShell script, embedded directly in the package.json file, is used to download the ZIP archive, after which the execution control is passed to a JavaScript file to complete the rest of the steps in the attack.

‘

“It is not clear why MUT-4831 chose to vary the postinstall script in this way,” security researchers Tesnim Hamdouni, Ian Kretz, and Sebastian Obregoso said. “One possible explanation is that diversifying implementations can be advantageous to the threat actor in terms of surviving detection.”

The discovery is just another in a long list of supply chain attacks targeting the open-source ecosystem spanning npm, PyPI, RubyGems, and Open VSX, making it crucial that developers perform due diligence, review changelogs, and watch out for techniques like typosquatting and dependency confusion before installing packages.



Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
ASMAX Showcases Next-Gen Smart Riding IoT Ecosystem at EICMA 2025

ASMAX Showcases Next-Gen Smart Riding IoT Ecosystem at EICMA 2025

Recommended.

Allora Labs and Pairpoint by Vodafone to Build a Predictive Intelligence Layer for the Economy of Things

Allora Labs and Pairpoint by Vodafone to Build a Predictive Intelligence Layer for the Economy of Things

June 15, 2026
Encore and Boldpush Release 2026 “Experience Design Report, Shaping What Drives Value in Live Corporate Events”

Encore and Boldpush Release 2026 “Experience Design Report, Shaping What Drives Value in Live Corporate Events”

May 6, 2026

Trending.

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
ACP CreativIT Rebrands As Tusker, Mounts National Sales Charge, Eyes New Acquisitions

ACP CreativIT Rebrands As Tusker, Mounts National Sales Charge, Eyes New Acquisitions

January 13, 2026
Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

April 23, 2025

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio