In a significant cybersecurity development, researchers have identified 73 counterfeit Visual Studio Code (VS Code) extensions embedded with malicious code, posing substantial risks to developers and organizations worldwide. These deceptive extensions, often masquerading as legitimate tools, have been found to steal sensitive information, deploy malware, and compromise entire development environments.
The Rise of Malicious VS Code Extensions
VS Code, a widely adopted source-code editor developed by Microsoft, supports a vast ecosystem of extensions that enhance its functionality. However, this popularity has also attracted cybercriminals who exploit the platform to distribute malicious extensions. These extensions often appear legitimate, making it challenging for developers to discern their true nature.
Notable Malicious Extensions and Their Impact
1. Vibe-Coded Malicious Extension: In November 2025, a malicious extension named susvsex was discovered. This extension possessed basic ransomware capabilities, automatically zipping, uploading, and encrypting files from specific directories upon activation. It also utilized GitHub as a command-and-control (C2) server, allowing attackers to execute commands remotely. Fortunately, the extension targeted test directories, minimizing immediate impact, but it highlighted the potential for more severe attacks. ([thehackernews.com](https://thehackernews.com/2025/11/vibe-coded-malicious-vs-code-extension.html?utm_source=openai))
2. SleepyDuck Extension: Another extension, SleepyDuck, employed advanced techniques to maintain its C2 infrastructure. It utilized an Ethereum contract to update its C2 address, ensuring persistence even if the original server was taken down. This method demonstrated the evolving sophistication of attackers in maintaining control over compromised systems. ([thehackernews.com](https://thehackernews.com/2025/11/malicious-vsx-extension-sleepyduck-uses.html?utm_source=openai))
3. GlassWorm Campaign: The GlassWorm campaign involved multiple malicious extensions designed to harvest credentials, drain cryptocurrency wallets, and establish remote access. These extensions used invisible Unicode characters to obfuscate malicious code, making detection more challenging. The campaign’s ability to self-replicate and spread like a worm underscored the potential for widespread impact. ([thehackernews.com](https://thehackernews.com/2025/11/glassworm-malware-discovered-in-three.html?utm_source=openai))
4. Evelyn Stealer Malware: In January 2026, the Evelyn Stealer malware was identified within certain VS Code extensions. This malware targeted developer credentials and cryptocurrency-related data, posing significant risks to both individual developers and organizations. Compromised environments could serve as entry points for further attacks, emphasizing the need for vigilance. ([thehackernews.com](https://thehackernews.com/2026/01/evelyn-stealer-malware-abuses-vs-code.html?utm_source=openai))
Supply Chain Vulnerabilities and Exploits
The discovery of these malicious extensions highlights critical vulnerabilities within the software supply chain:
– Leaked Access Tokens: Over 100 VS Code extensions were found to have leaked access tokens, allowing attackers to distribute malicious updates directly to users. This exposure posed a significant risk, as attackers could push malware to a vast number of developers. ([thehackernews.com](https://thehackernews.com/2025/10/over-100-vs-code-extensions-exposed.html?utm_source=openai))
– Publisher Spoofing: A flaw in the Visual Studio Installer allowed attackers to impersonate legitimate publishers, facilitating the distribution of malicious extensions. This vulnerability made it easier for attackers to gain trust and infiltrate development environments. ([thehackernews.com](https://thehackernews.com/2023/06/researchers-uncover-publisher-spoofing.html?utm_source=openai))
– Reusing Deleted Extension Names: Attackers exploited a loophole that permitted the reuse of names from previously removed extensions. By republishing under these names, they could deceive developers into installing malicious extensions, leveraging the trust associated with the original names. ([thehackernews.com](https://thehackernews.com/2025/08/researchers-find-vs-code-flaw-allowing.html?utm_source=openai))
Recommendations for Developers and Organizations
To mitigate the risks associated with malicious VS Code extensions, developers and organizations should adopt the following practices:
1. Limit Extension Installations: Install only essential extensions and regularly review their necessity. Reducing the number of installed extensions minimizes potential attack vectors.
2. Scrutinize Extensions Before Installation: Carefully evaluate extensions by reviewing their publisher information, user reviews, and update history. Be cautious of extensions with limited information or those from unknown publishers.
3. Disable Auto-Updates: While automatic updates can provide convenience, they can also introduce risks if an extension becomes compromised. Manually reviewing and updating extensions ensures greater control over what is installed.
4. Develop an Extension Inventory: Maintain a comprehensive list of installed extensions to facilitate quick responses to reports of malicious activity. This inventory can aid in identifying and removing compromised extensions promptly.
5. Implement Centralized Allowlists: Organizations should consider creating allowlists of approved extensions. This approach ensures that only vetted and trusted extensions are used within the development environment.
6. Stay Informed About Security Updates: Regularly monitor security advisories and updates related to VS Code extensions. Staying informed enables proactive measures against emerging threats.
Conclusion
The identification of 73 malicious VS Code extensions underscores the critical need for heightened vigilance within the developer community. As attackers continue to exploit trusted platforms to distribute malware, developers and organizations must adopt robust security practices to protect their environments. By limiting extension installations, scrutinizing new additions, and staying informed about potential threats, the community can mitigate the risks posed by these malicious extensions.
Twitter Post:
🚨 Alert: 73 malicious VS Code extensions discovered, compromising developer environments. Stay vigilant and review your extensions. #CyberSecurity #VSCode #DeveloperSafety
Focus Key Phrase:
Malicious VS Code extensions
Article X Post:
Hashtags:
Article Key Phrase:
Category: Security News
