Cybersecurity Alert: Ransomware Hidden in VSCode Marketplace Extensions

Listen to this Post

Cybersecurity experts have discovered ransomware hidden within two Visual Studio Code (VSCode) Marketplace extensions, raising concerns about Microsoft’s ability to detect malicious software in its platform. The compromised extensions, named “ahban.shiba” and “ahban.cychelloworld,” were downloaded by users before security researchers flagged them, leading to their removal.

Despite Microsoft’s security measures, the extensions remained publicly accessible for a significant period, highlighting potential gaps in the company’s review process. Researchers at ReversingLabs found that both extensions included a PowerShell script connecting to a remote Amazon Web Services (AWS) server to download additional malicious code, functioning as ransomware in a testing phase.

Read more here

You Should Know: How to Detect and Prevent Malicious VSCode Extensions

1. Verify Extensions Before Installation

Always check:

  • Publisher reputation (verified badges, GitHub links, reviews).
  • Download counts (low downloads may indicate suspicious activity).
  • Update frequency (abandoned extensions could be risky).

Command to list installed VSCode extensions:

code --list-extensions 

2. Scan for Malicious PowerShell Scripts

If an extension runs PowerShell scripts, inspect them first.

Check running processes in Windows:

Get-Process | Where-Object { $_.Name -like "powershell" } 

Analyze script behavior with:

Get-Content "suspicious_script.ps1" | Select-String -Pattern "http|aws|malicious" 

3. Monitor Network Connections

Detect unauthorized AWS or external connections:

On Linux:

netstat -tulnp | grep -E 'aws|http' 

On Windows:

netstat -ano | findstr "ESTABLISHED" 

4. Use Sandboxing for Suspicious Extensions

Run VSCode in a sandboxed environment (e.g., Docker, Windows Sandbox):

Linux (Docker Example):

docker run -it --rm -v "$(pwd):/workspace" ubuntu bash 

Windows Sandbox:

Enable-WindowsOptionalFeature -Online -FeatureName "Containers-DisposableClientVM" 

5. Remove Malicious Extensions Immediately

If compromised:

Uninstall an extension in VSCode:

code --uninstall-extension ahban.shiba 

Check for persistence mechanisms (Linux):

crontab -l 
systemctl list-timers --all 

What Undercode Say

Supply-chain attacks are evolving, and developers must adopt zero-trust principles when installing third-party tools. Key takeaways:
– Audit dependencies regularly.
– Restrict PowerShell execution in corporate environments.
– Use endpoint detection (EDR) for unusual process behavior.
– Isolate development environments from critical systems.

Linux hardening commands:

 Disable unnecessary services 
sudo systemctl disable --now suspicious-service

Check file integrity (against known hashes) 
sha256sum /path/to/file

Monitor file changes (Linux) 
auditctl -w /path/to/extensions -p wa -k vscode_mods 

Windows hardening commands:

 Disable remote PowerShell execution 
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Restricted

Enable logging for script blocks 
Enable-PSWSManCombinedTrace -Level Verbose 

Expected Output:

A secure development workflow with verified extensions, monitored network activity, and sandboxed testing environments to prevent ransomware infections.

Reference: ReversingLabs Report

References:

Reported By: Activity 7312622569654779904 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image