Developers face a new wave of cyber threats after researchers uncovered malware embedded in 19 Visual Studio Code (VS Code) extensions. Active since early 2025 and only recently identified, this campaign exploited trusted npm packages to slip malicious files past marketplace checks. Attackers disguised harmful binaries in an archive that appeared to be a simple PNG image, allowing them to target developers without raising suspicion.
Attackers Exploit the VS Code Marketplace
Security firm ReversingLabs detected a spike in suspicious VS Code extension uploads throughout 2025. Many extensions mimicked popular tools or promised attractive features, but their real purpose was to execute malware on developer machines. In some cases, attackers compromised legitimate VS Code extensions through malicious pull requests that introduced harmful dependencies.
The attackers embedded a modified version of the npm package “path-is-absolute” in the node_modules directory of affected extensions. While this package is usually safe and widely downloaded, the malicious variant included code that executed malware each time VS Code started. This was achieved by decoding a JavaScript dropper hidden in a file named “lock.”
Deceptive Payloads and Stealthy Delivery
Malicious payloads were concealed as a file called banner.png. Despite its innocent appearance, this file was actually an archive containing two dangerous binaries. Once activated, a dropper launched these binaries using cmstp.exe, a legitimate Windows tool often abused to run malicious code,also known as a “living-off-the-land binary” (LOLBIN).
- One binary simulated a keypress to close itself immediately
- The other, written in Rust, acted as a Trojan with still-unknown capabilities
Additionally, four extensions used a different npm package, @actions/io, to deploy their malware, hiding it in TypeScript and map files rather than a fake PNG. In all cases, the attackers leveraged components that users generally trust to deliver their malware undetected.
Rising Risks for Developers
The threat is growing fast. ReversingLabs reports that malicious VS Code extension detections have jumped from 27 in 2024 to 105 in the first ten months of 2025 alone. This surge signals an evolution in software supply chain attacks, now targeting tools at the core of the development process. Even trusted dependencies and platforms are no longer immune from compromise.
While avoiding all extensions is not practical, experts recommend a more security-conscious approach:
- Thoroughly vet extensions before installation
- Audit bundled dependencies for any signs of tampering
- Rely on security tools that examine behavioral patterns, not just package metadata
All identified malicious extensions have been reported to Microsoft, but this incident underscores the persistent risk developers face from compromised supply chains.
Vigilance Is Key to Security
This incident serves as a stark warning about the importance of supply chain security in software development. Sophisticated malware can lurk even in popular, seemingly trustworthy extensions. Developers and organizations must prioritize proactive vigilance,conducting careful inspections, auditing dependencies, and using advanced security tools,to defend against evolving threats in today’s digital landscape.
Source: Infosecurity Magazine
Malware Discovered Hiding in Popular Visual Studio Code Extensions: What Developers Need to Know