The **Prettier Code formatter**, a widely adopted open-source tool for code formatting, was impersonated on the **VSCode Marketplace** in a **brandjacking attack**. Threat actors distributed a malicious spoofed version of the extension to inject **Anivia Stealer malware** onto **Windows systems**. This malware is designed to exfiltrate sensitive data, including **credentials, cookies, cryptocurrency wallets, and browser-stored information** from infected machines. The attack leveraged **social engineering** by mimicking the legitimate Prettier extension, tricking developers—who rely on the tool for workflow efficiency—into installing the compromised version. While the article does not specify **direct financial losses or large-scale data breaches**, the malware’s capabilities pose a **high risk of credential theft and downstream fraud**, particularly if deployed within corporate environments. Developers using infected systems could unknowingly expose **internal repositories, API keys, or proprietary code** to attackers. The incident highlights vulnerabilities in **third-party marketplace security**, where spoofed extensions can bypass initial scrutiny. Though no **mass data leak or ransomware deployment** was confirmed, the **potential for follow-on attacks**—such as **supply-chain compromises or lateral movement within organizations**—remains significant. The reputational damage to **Prettier** and **Microsoft’s VSCode Marketplace** is also notable, eroding trust in extension ecosystems.
Source: https://www.scworld.com/brief/vanhelsing-raas-reveals-source-code-after-attempted-exposure
TPRM report: https://www.rankiteo.com/company/10xminds
"id": "10x2462824112725",
"linkid": "10xminds",
"type": "Cyber Attack",
"date": "5/2025",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': 'Software Development',
'name': 'Prettier (Code Formatter)',
'type': 'Open-Source Tool'},
{'industry': ['Technology',
'Software Development',
'Various'],
'location': 'Global',
'name': 'VSCode Marketplace Users',
'type': 'Developers/Organizations'}],
'attack_vector': ['Spoofed Software',
'Malicious Extension',
'VSCode Marketplace'],
'customer_advisories': ['Developers advised to check for and remove malicious '
'Prettier extensions'],
'data_breach': {'data_exfiltration': 'Likely (Anivia Stealer exfiltrates data '
'to C2 servers)',
'personally_identifiable_information': 'Likely',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Credentials',
'Cookies',
'Browser Data',
'Cryptocurrency Wallets',
'Screenshots',
'System Information']},
'date_detected': '2025-11-25',
'date_publicly_disclosed': '2025-11-25',
'description': 'The widely used coding tool Prettier Code formatter was '
'spoofed on the VSCode Marketplace to inject Anivia Stealer '
'malware on Windows systems as part of a Brandjacking attack.',
'impact': {'brand_reputation_impact': ['Potential erosion of trust in '
'Prettier and VSCode Marketplace'],
'data_compromised': ['Potential credentials',
'Sensitive user data (via Anivia Stealer)'],
'identity_theft_risk': ['High (Anivia Stealer targets credentials '
'and PII)'],
'payment_information_risk': ['Possible (if users stored payment '
'data in compromised systems)'],
'systems_affected': ['Windows systems with infected VSCode '
'extensions']},
'initial_access_broker': {'data_sold_on_dark_web': 'Likely (Anivia Stealer '
'data often sold)',
'entry_point': 'Spoofed Prettier extension on '
'VSCode Marketplace',
'high_value_targets': ['Developers',
'Organizations using '
'VSCode']},
'investigation_status': 'Reported (ongoing investigation likely)',
'motivation': ['Financial Gain', 'Data Theft'],
'post_incident_analysis': {'root_causes': ['Lack of strict publisher '
'verification on VSCode '
'Marketplace',
'User trust in brand impersonation '
'(Prettier)',
'Inadequate extension vetting '
'processes']},
'recommendations': ['Verify extension publishers before installation on '
'VSCode Marketplace.',
'Use code-signing and reputation systems for extensions.',
'Monitor for unusual activity post-installation of new '
'tools.',
'Educate developers on risks of spoofed/malicious '
'extensions.'],
'references': [{'date_accessed': '2025-11-25', 'source': 'HackRead'}],
'response': {'remediation_measures': ['Removal of malicious extension from '
'VSCode Marketplace (assumed)']},
'title': 'Prettier Code Formatter Spoofed on VSCode Marketplace to Distribute '
'Anivia Stealer Malware',
'type': ['Malware Injection', 'Brandjacking', 'Supply Chain Attack'],
'vulnerability_exploited': 'User trust in legitimate-looking extensions on '
'the VSCode Marketplace'}