19 Malicious Visual Studio Code Extensions Uncovered
▼ Summary
– A campaign of 19 malicious VS Code extensions was discovered, using a legitimate npm package to hide malware within dependency folders.
– The attack embedded a modified version of the popular `path-is-absolute` package to trigger a JavaScript dropper when VS Code starts.
– Attackers also disguised a malicious archive as a PNG file, which deployed binaries via a system tool to execute a Rust-based Trojan.
– The threat is growing, with detections of malicious extensions rising sharply from 27 in 2024 to 105 in the first ten months of 2025.
– To mitigate risk, developers should inspect extensions, audit dependencies, and use security tools, as trusted components can be compromised.
Cybersecurity experts have identified a significant campaign involving 19 malicious Visual Studio Code extensions that secretly embedded harmful software within their dependency folders. This operation, active since February of this year but formally identified in early December, cleverly used a legitimate npm package to hide dangerous files. The attackers bundled malicious binaries inside an archive disguised as a standard PNG image file, a method that allowed them to evade standard security checks and directly target software developers.
Throughout 2025, a troubling increase in suspicious uploads to the VS Code Marketplace has been observed. These harmful extensions often mimic well-known tools or advertise appealing new features, only to execute unwanted code in the background. The threat even extends to previously trusted projects; in one instance from July, a malicious update to a legitimate extension introduced a harmful dependency. In this specific campaign, the attackers embedded a tampered version of the widely-used `path-is-absolute` npm package within the extensions. This modified package contained a class designed to activate malware as soon as Visual Studio Code launched, initiating a process to decode a JavaScript dropper from a file named “lock.”
The scheme also involved a file named `banner.png`. While appearing to be a simple image, this file was actually an archive containing two binary executables. The dropper would launch these files using `cmstp.exe`, a legitimate Windows system tool often exploited by attackers. One executable was designed to discreetly close its own process, while the other was a Rust-based Trojan whose full functionality was still under investigation at the time of discovery.
While most of the extensions relied on the corrupted `path-is-absolute` package, four others took a different approach by weaponizing the `@actions/io` npm package. In these cases, the malicious payload was distributed across TypeScript and map files instead of using the disguised PNG archive. Despite the variation in technique, the core objective was identical: to covertly run malware through components that developers inherently trust.
The need for vigilance has never been greater. Security researchers report that detections of malicious extensions surged from just 27 in all of 2024 to 105 in the first ten months of 2025 alone. To mitigate these growing supply chain risks, development teams are advised to take proactive steps. It is crucial to inspect extensions before installation and to regularly audit all bundled dependencies. Employing security tools that can analyze package behavior for suspicious activity is also highly recommended. Security professionals emphasize that safety does not mean avoiding extensions entirely, but rather adopting a mindset that acknowledges even trusted components can be compromised. All extensions mentioned in this campaign have been reported to Microsoft for removal.
(Source: InfoSecurity Magazine)
