Cybersecurity researchers identified a malicious **Visual Studio Code (VS Code) extension** named *susvsex*, uploaded by a suspicious user (*suspublisher18*) on **November 5, 2025**. The extension, described as a 'test,' automatically executed ransomware-like functionality upon installation or VS Code launch. It **zipped, exfiltrated, and encrypted files** from predefined test directories (`C:\Users\Public\testing` or `/tmp/testing`), though the target path was non-critical. However, the attacker could easily update the directory via a **GitHub-based C2 channel**, where commands were fetched from a private repository (*aykhanmv*) and results logged in *requirements.txt*. The extension **accidentally exposed decryption tools, C2 server code, and GitHub access tokens**, risking C2 takeover by third parties. While Microsoft **removed the extension within 24 hours**, the incident highlights supply-chain risks in open-source ecosystems. The attacker’s use of **AI-generated ('vibe-coded') malware**—with sloppy comments and placeholder variables—suggests a low-effort but potentially scalable threat. Though the immediate impact was minimal due to the test directory, the **exfiltration + encryption capability** and **C2 infrastructure** pose severe risks if repurposed for critical systems.
Source: https://thehackernews.com/2025/11/vibe-coded-malicious-vs-code-extension.html
Microsoft cybersecurity rating report: https://www.rankiteo.com/company/microsoft
"id": "mic1692516110725",
"linkid": "microsoft",
"type": "Ransomware",
"date": "11/2025",
"severity": "75",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Unknown (extension removed '
'before widespread adoption)',
'industry': 'Technology',
'location': 'Global',
'name': 'Microsoft (VS Code Marketplace)',
'size': 'Large',
'type': 'Corporation'},
{'customers_affected': '~2,240 downloads (potentially '
'automated scrapers)',
'industry': 'Software Development',
'location': 'Global',
'name': 'npm Registry Users',
'size': 'Varies',
'type': 'Developers/Organizations'},
{'industry': 'Technology',
'location': 'Global',
'name': 'GitHub (C2 Repository Host)',
'size': 'Large',
'type': 'Platform'}],
'attack_vector': ['Malicious Extension (VS Code Marketplace)',
'Trojanized npm Packages',
'GitHub C2',
'Postinstall Scripts'],
'customer_advisories': ['Users of infected npm packages should reset '
'credentials and monitor for fraud.'],
'data_breach': {'data_encryption': ['Files in test directories replaced with '
'encrypted versions (susvsex)'],
'data_exfiltration': ['ZIP archives uploaded to remote server '
'(susvsex)',
'Data sent to Vidar C2 servers'],
'file_types_exposed': ['ZIP archives',
'Potentially all file types in '
'compromised systems (Vidar)'],
'personally_identifiable_information': ['Yes (via Vidar '
'Infostealer)'],
'sensitivity_of_data': ['Low (test files)',
'High (Vidar-targeted data)'],
'type_of_data_compromised': ['Files in test directories',
'Potential PII (via Vidar: '
'credentials, cookies, '
'cryptocurrency wallets, browser '
'data)']},
'date_detected': '2025-11-05',
'date_publicly_disclosed': '2025-11-06',
'date_resolved': '2025-11-06',
'description': 'Cybersecurity researchers discovered a malicious Visual '
"Studio Code (VS Code) extension named 'susvsex' with "
'ransomware capabilities, likely created using AI '
"('vibe-coded'). The extension, uploaded by 'suspublisher18' "
'on November 5, 2025, automatically zips, uploads, and '
'encrypts files from a test directory '
'(C:\\Users\\Public\\testing on Windows or /tmp/testing on '
'macOS) on first launch. It uses GitHub as a '
'command-and-control (C2) server by polling a private '
'repository for commands. The extension was removed by '
'Microsoft on November 6, 2025. Separately, 17 trojanized npm '
'packages were found distributing the Vidar infostealer, '
"uploaded by accounts 'aartje' and 'saliii229911' between "
'October 21–26, 2025. These packages were downloaded ~2,240 '
'times before being banned.',
'impact': {'brand_reputation_impact': ['Negative publicity for VS Code '
'Marketplace and npm registry',
'Erosion of trust in open-source '
'ecosystems'],
'data_compromised': ['Files in test directories '
'(C:\\Users\\Public\\testing, /tmp/testing)',
'Potential system data via Vidar Infostealer '
'(credentials, cookies, cryptocurrency '
'wallets, etc.)'],
'identity_theft_risk': ['High (Vidar Infostealer targets PII, '
'credentials, and financial data)'],
'operational_impact': ['Potential disruption for developers using '
'infected extensions/packages',
'Compromise of development environments'],
'payment_information_risk': ['High (Vidar Infostealer exfiltrates '
'cryptocurrency wallets and payment '
'details)'],
'systems_affected': ['Windows (VS Code)',
'macOS (VS Code)',
'Systems with infected npm packages '
'(Windows/Linux/macOS)']},
'initial_access_broker': {'backdoors_established': ['GitHub C2 (aykhanmv '
'repository)',
'Bullethost[.]cloud '
'(Vidar payload host)'],
'data_sold_on_dark_web': ['Potential '
'(Vidar-exfiltrated '
'data)'],
'entry_point': ['VS Code Marketplace (susvsex '
'extension)',
'npm Registry (trojanized '
'packages)'],
'high_value_targets': ['Developer environments',
'Cryptocurrency wallets',
'Browser credentials']},
'investigation_status': 'Ongoing (C2 repository and threat actors under '
'analysis)',
'lessons_learned': ["AI-assisted ('vibe-coded') malware can bypass basic "
'detection due to unconventional coding practices.',
'Open-source ecosystems (VS Code, npm) remain prime '
'targets for supply chain attacks.',
'GitHub can be abused as a C2 infrastructure, '
'highlighting the need for monitoring unusual repository '
'activity.',
'Postinstall scripts in npm packages are a persistent '
'attack vector for malware distribution.',
'Developers must vet extensions/packages for suspicious '
'indicators (e.g., vague descriptions, placeholder code, '
'embedded tokens).'],
'motivation': ['Testing/Experimental (susvsex)',
'Financial Gain (Vidar Infostealer)',
'Data Theft'],
'post_incident_analysis': {'corrective_actions': ['Microsoft: Strengthen '
'extension review processes '
'for VS Code Marketplace.',
'npm: Enhance detection of '
'malicious postinstall '
'scripts and typosquatting.',
'GitHub: Improve abuse '
'detection for repositories '
'used as C2 channels.',
'Developers: Adopt secure '
'coding practices and '
'dependency hygiene.'],
'root_causes': ['Lack of strict vetting for VS '
'Code extensions/npm packages.',
'Abuse of legitimate platforms '
'(GitHub, npm) for malicious '
'purposes.',
'Over-reliance on automated tools '
'without manual code review.',
'Insufficient monitoring of '
'postinstall scripts in '
'open-source packages.']},
'ransomware': {'data_encryption': ['AES/Other (files in test directories)'],
'data_exfiltration': ['Yes (ZIP archives to remote server)'],
'ransomware_strain': 'Custom (susvsex extension)'},
'recommendations': ['Enhance vetting processes for extensions/packages in '
'official marketplaces (e.g., static analysis, behavioral '
'sandboxing).',
'Monitor GitHub for repositories used as C2 channels '
'(e.g., frequent updates to index.html/requirements.txt).',
'Educate developers on risks of typosquatting, dependency '
'confusion, and postinstall scripts.',
'Implement network-level detection for connections to '
'known malicious domains (e.g., bullethost[.]cloud).',
'Use multi-factor authentication (MFA) for package '
'publishing accounts to prevent hijacking.',
'Regularly audit open-source dependencies for suspicious '
'activity (e.g., unexpected postinstall scripts).'],
'references': [{'date_accessed': '2025-11-06',
'source': 'Secure Annex Research (John Tuckner)'},
{'date_accessed': '2025-11-06',
'source': 'Datadog Security Labs'},
{'date_accessed': '2025-11-06',
'source': 'The Hacker News (Coverage)'}],
'response': {'communication_strategy': ['Public disclosure by researchers '
'(Secure Annex, Datadog)',
'Media coverage'],
'containment_measures': ["Microsoft removed 'susvsex' from VS "
'Code Marketplace (2025-11-06)',
'npm banned malicious accounts '
"('aartje', 'saliii229911') and "
'packages'],
'incident_response_plan_activated': True,
'third_party_assistance': ['Secure Annex (research)',
'Datadog Security Labs (research)']},
'stakeholder_advisories': ["Developers advised to remove 'susvsex' extension "
'and scan systems for Vidar Infostealer.'],
'threat_actor': ['suspublisher18',
'aykhanmv (GitHub C2 operator)',
'MUT-4831 (npm package uploader: aartje, saliii229911)'],
'title': "Malicious VS Code Extension 'susvsex' with Ransomware Capabilities "
'and Trojanized npm Packages Distributing Vidar Infostealer',
'type': ['Malware',
'Ransomware',
'Supply Chain Attack',
'Data Exfiltration',
'Infostealer']}