The Prettier Code formatter, a widely adopted open-source tool for code formatting, was impersonated on the VSCode Marketplace in a brandjacking attack. Threat actors distributed a malicious spoofed extension that injected the Anivia Stealer malware onto Windows systems of unsuspecting developers. This malware is designed to exfiltrate sensitive data, including credentials, browser cookies, cryptocurrency wallets, and system information, from infected machines. The attack leveraged social engineering, tricking developers into installing the fake extension under the guise of a legitimate update or alternative. Once executed, Anivia Stealer established persistence and began harvesting data, which could be used for follow-on attacks such as credential stuffing, financial fraud, or lateral movement within corporate networks. While the immediate impact was limited to individual developers' workstations, the stolen data could enable broader compromises if corporate credentials or proprietary code were exposed. The incident highlights risks in supply-chain attacks via third-party marketplaces, where trust in open-source tools is exploited. Microsoft removed the malicious extension, but the breach underscores the need for verification mechanisms and developer awareness to mitigate such threats. No large-scale data leaks or ransomware were reported, but the theft of personal and professional data poses reputational and operational risks for affected users and organizations.
Source: https://www.scworld.com/brief/email-bombing-other-techniques-leveraged-by-3am-ransomware-gang
TPRM report: https://www.rankiteo.com/company/10xminds
"id": "10x1433014112625",
"linkid": "10xminds",
"type": "Cyber Attack",
"date": "5/2025",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': ['Developers Using VSCode with '
'Malicious Extension'],
'industry': 'Software Development',
'location': 'Global',
'name': 'Prettier (Brand Impersonated)',
'type': 'Open-Source Project'},
{'industry': 'Technology',
'location': 'Global',
'name': 'VSCode Marketplace (Platform Exploited)',
'type': 'Software Repository'}],
'attack_vector': ['Spoofed Software Extension',
'Malicious VSCode Marketplace Listing',
'Social Engineering (Deceptive Legitimacy)'],
'customer_advisories': ['Developers advised to uninstall suspicious Prettier '
'extensions and scan systems for malware.'],
'data_breach': {'data_exfiltration': 'Likely (via Anivia Stealer)',
'personally_identifiable_information': ['Potential (if Stored '
'in Browsers or '
'System Files)'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Credentials',
'System Information',
'Browser Data (Cookies, '
'Autofill, etc.)']},
'date_detected': '2025-11-25',
'date_publicly_disclosed': '2025-11-25',
'description': 'The widely used coding tool Prettier Code formatter was '
'spoofed on the VSCode Marketplace to inject Anivia '
'Stealer malware on Windows systems as part of a '
'Brandjacking attack. The malicious extension mimicked the '
'legitimate Prettier tool to deceive developers into '
'installing it, leading to potential data theft and system '
'compromise.',
'impact': {'brand_reputation_impact': ['Erosion of Trust in Prettier Brand',
'Reputational Damage to VSCode '
'Marketplace'],
'data_compromised': ['Potential Stolen Credentials',
'System Information',
'Browser Data (via Anivia Stealer)'],
'identity_theft_risk': ['High (via Stolen Credentials)'],
'operational_impact': ['Potential Disruption for Developers',
'Loss of Trust in VSCode Marketplace'],
'payment_information_risk': ['Possible (if Browser Data '
'Compromised)'],
'systems_affected': ['Windows Systems with Malicious Extension '
'Installed']},
'initial_access_broker': {'data_sold_on_dark_web': 'Possible (if Anivia '
'Stealer exfiltrated data)',
'entry_point': 'Spoofed VSCode Marketplace '
'Extension',
'high_value_targets': ['Developer Systems (for '
'Credential Theft)']},
'investigation_status': 'Publicly Disclosed (Ongoing Investigation Assumed)',
'lessons_learned': ['Importance of verifying extension authenticity before '
'installation, even from trusted marketplaces.',
'Need for stricter vetting processes in software '
'repositories to prevent spoofing.',
'Risks of brandjacking attacks leveraging popular '
'open-source tools.'],
'motivation': ['Financial Gain (Data Theft)',
'Credential Harvesting',
'Potential Follow-on Attacks'],
'post_incident_analysis': {'root_causes': ['Lack of robust extension '
'verification in VSCode '
'Marketplace.',
'Exploitation of user trust in '
'legitimate software brands.',
'Inadequate user awareness of '
'spoofing risks.']},
'recommendations': ["Developers should enable VSCode's extension "
'verification and check publisher details before '
'installing.',
'Marketplace operators should implement automated '
'spoofing detection (e.g., hash verification, publisher '
'validation).',
'Organizations should restrict extension '
'installations to approved lists via policy.',
'Use endpoint detection tools to monitor for Anivia '
'Stealer indicators of compromise (IoCs).'],
'references': [{'date_accessed': '2025-11-25', 'source': 'HackRead'}],
'response': {'communication_strategy': ['Public Disclosure via HackRead'],
'containment_measures': ['Removal of Malicious Extension from '
'VSCode Marketplace (Assumed)']},
'title': 'Prettier Code Formatter Spoofed on VSCode Marketplace to Distribute '
'Anivia Stealer Malware in Brandjacking Attack',
'type': ['Malware Distribution', 'Brandjacking', 'Supply Chain Attack'],
'vulnerability_exploited': ['User Trust in Legitimate Software Repositories',
'Lack of Strict Marketplace Vetting']}