Listen to this Post
Cybersecurity experts have discovered ransomware hidden within two Visual Studio Code (VSCode) Marketplace extensions, raising concerns about Microsoft’s ability to detect malicious software in its platform. The compromised extensions, named “ahban.shiba” and “ahban.cychelloworld,” were downloaded by users before security researchers flagged them, leading to their removal.
Despite Microsoft’s security measures, the extensions remained publicly accessible for a significant period, highlighting potential gaps in the company’s review process. Researchers at ReversingLabs found that both extensions included a PowerShell script connecting to a remote Amazon Web Services (AWS) server to download additional malicious code, functioning as ransomware in a testing phase.
You Should Know: How to Detect and Prevent Malicious VSCode Extensions
1. Verify Extensions Before Installation
Always check:
- Publisher reputation (verified badges, GitHub links, reviews).
- Download counts (low downloads may indicate suspicious activity).
- Update frequency (abandoned extensions could be risky).
Command to list installed VSCode extensions:
code --list-extensions
2. Scan for Malicious PowerShell Scripts
If an extension runs PowerShell scripts, inspect them first.
Check running processes in Windows:
Get-Process | Where-Object { $_.Name -like "powershell" }
Analyze script behavior with:
Get-Content "suspicious_script.ps1" | Select-String -Pattern "http|aws|malicious"
3. Monitor Network Connections
Detect unauthorized AWS or external connections:
On Linux:
netstat -tulnp | grep -E 'aws|http'
On Windows:
netstat -ano | findstr "ESTABLISHED"
4. Use Sandboxing for Suspicious Extensions
Run VSCode in a sandboxed environment (e.g., Docker, Windows Sandbox):
Linux (Docker Example):
docker run -it --rm -v "$(pwd):/workspace" ubuntu bash
Windows Sandbox:
Enable-WindowsOptionalFeature -Online -FeatureName "Containers-DisposableClientVM"
5. Remove Malicious Extensions Immediately
If compromised:
Uninstall an extension in VSCode:
code --uninstall-extension ahban.shiba
Check for persistence mechanisms (Linux):
crontab -l systemctl list-timers --all
What Undercode Say
Supply-chain attacks are evolving, and developers must adopt zero-trust principles when installing third-party tools. Key takeaways:
– Audit dependencies regularly.
– Restrict PowerShell execution in corporate environments.
– Use endpoint detection (EDR) for unusual process behavior.
– Isolate development environments from critical systems.
Linux hardening commands:
Disable unnecessary services sudo systemctl disable --now suspicious-service Check file integrity (against known hashes) sha256sum /path/to/file Monitor file changes (Linux) auditctl -w /path/to/extensions -p wa -k vscode_mods
Windows hardening commands:
Disable remote PowerShell execution Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Restricted Enable logging for script blocks Enable-PSWSManCombinedTrace -Level Verbose
Expected Output:
A secure development workflow with verified extensions, monitored network activity, and sandboxed testing environments to prevent ransomware infections.
Reference: ReversingLabs Report
References:
Reported By: Activity 7312622569654779904 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅



