Listen to this Post
In a chilling reminder that even trusted development tools are not immune to attacks, cybersecurity researchers have uncovered a campaign deploying malware through Visual Studio Code (VS Code) extensions. Active since February 2025 but only identified in early December, this operation has directly targeted developers, exploiting the very packages they rely on for software development. By hiding malicious files in seemingly legitimate dependencies, attackers have found a way to bypass traditional security checks and infiltrate development environments with alarming stealth.
Hidden Malware in Trusted Extensions
The campaign involved 19 VS Code extensions, all of which embedded harmful files within their dependency folders. Researchers from ReversingLabs discovered that the attackers used a legitimate npm package to disguise malicious code. The malware was bundled inside an archive masquerading as a PNG image, allowing it to evade casual inspection. Once installed, the malicious code would execute as soon as VS Code launched, threatening both individual developers and enterprise environments.
Phishing and Deceptive Techniques Evolve
This incident is part of a broader trend observed throughout 2025, where malicious VS Code extensions have steadily increased in prevalence. Some extensions imitate popular tools, while others advertise new features to lure unsuspecting developers. Even legitimate extensions are at risk: in July, a malicious pull request compromised a trusted project simply by introducing a dangerous dependency.
In this latest campaign, the attackers embedded a modified version of the widely used npm package path-is-absolute into the extensions’ node_modules folders. With over 9 billion downloads since 2021, this package is trusted globally. However, the altered version contained a class designed to trigger malware at VS Code startup, decoding a JavaScript dropper stored in a file named lock.
Adding to the deception, the attackers included a file named banner.png, which appeared harmless but was actually an archive containing two binaries. These binaries were launched via cmstp.exe, a common living-off-the-land binary (LOLBIN). One executable simulated a keypress to close processes, while the other, a Rust-based Trojan, was still under analysis at the time of the report.
Multiple Attack Vectors
While most malicious extensions relied on the modified path-is-absolute dependency, four others weaponized the npm package @actions/io, distributing their payload across TypeScript and map files instead of hiding it in a disguised PNG. Despite different methods, the attackers’ goal remained consistent: covertly execute malware through trusted components to avoid detection.
Alarming Trend for Developers
ReversingLabs reported a sharp rise in malicious extension detection—from 27 in 2024 to 105 in the first 10 months of 2025—signaling a growing threat to developers worldwide. These numbers underline the importance of scrutinizing every extension before installation and auditing all bundled dependencies. Security tools that analyze package behavior can further mitigate risk.
Best Practices for Safety
According to experts, the key to staying safe is not avoiding extensions entirely but recognizing that even trusted tools can be compromised. Developers are encouraged to:
Carefully inspect extensions before installation
Audit all dependencies for suspicious modifications
Use advanced security tools capable of behavioral analysis
All identified malicious extensions have been reported to Microsoft for removal.
What Undercode Say:
This campaign highlights a worrying shift in the cybersecurity landscape for developers. Attackers are increasingly targeting development environments directly, rather than conventional endpoints like personal computers or servers. By exploiting trusted npm packages and disguising malware inside legitimate-looking files, attackers gain an elevated level of stealth, bypassing standard antivirus and security filters.
The choice of VS Code as a target is strategic. As one of the most widely used code editors worldwide, it presents a massive attack surface. Developers often rely on numerous third-party extensions without scrutinizing their source code, which allows malicious actors to infiltrate systems through trust rather than brute force.
The modified path-is-absolute and @actions/io packages reveal a sophisticated understanding of developer workflows. Embedding malware in dependencies ensures that the payload activates automatically with minimal user interaction. Moreover, hiding a Rust-based Trojan in a benign-looking PNG archive indicates a high level of technical sophistication, exploiting common human assumptions that image files are safe.
This trend also points to the rise of supply chain attacks in the development ecosystem. As more organizations adopt DevOps and continuous integration pipelines, the reliance on external packages grows. Each dependency becomes a potential vector for compromise, emphasizing the need for stringent verification and monitoring.
Behavioral analysis tools, dependency auditing, and runtime monitoring are no longer optional—they are essential. Organizations need to implement a layered security approach, including both pre-installation checks and post-installation runtime observation, to prevent such sophisticated attacks.
Furthermore, this incident is a reminder that security awareness among developers must evolve. Training teams to recognize subtle manipulations, like modified legitimate packages, is crucial. Ignoring this risk could result in malware silently collecting sensitive code, credentials, or even spreading within corporate networks.
Supply chain attacks like these also highlight a critical question: how can the developer ecosystem maintain trust while leveraging an open, collaborative package repository system? Enhanced vetting processes by marketplaces like npm and VS Code Marketplace are necessary but must be complemented by proactive security hygiene from developers themselves.
Ultimately, the rise of malware-laden VS Code extensions is not just a technical problem—it’s a cultural one. Developers must balance efficiency and convenience with vigilance and skepticism. As attacks become more sophisticated, the boundary between safe and unsafe code becomes increasingly blurred, demanding constant attention and proactive defense strategies.
🔍 Fact Checker Results
✅ 19 VS Code extensions involved in malware campaign
✅ Attackers used legitimate npm packages to hide malicious code
❌ The Rust-based Trojan details are still under analysis
📊 Prediction
The sophistication of this campaign suggests a continuing rise in developer-targeted supply chain attacks. Expect malware to become more embedded in legitimate-looking dependencies, making detection harder. Organizations may increasingly adopt automated security audits and AI-based behavioral analysis for extension safety. 🚀 Developers will need to balance productivity with rigorous scrutiny of third-party code to prevent future infections. ⚠️
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.infosecurity-magazine.com
Extra Source Hub (Possible Sources for article):
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
