Malicious VSCode Extensions Found: Ransomware Hidden in Marketplace Tools
- monique7472
- Apr 23
- 2 min read

Visual Studio Code is the golden retriever of text editors—friendly, fast, and so widely used that developers forget it’s quietly gnawing on their security posture.
That trust got kicked in the teeth recently.
Cybersecurity researchers discovered ransomware hidden in two publicly available VSCode Marketplace extensions—extensions that were live for weeks or even months before Microsoft pulled them. The names? “ahban.shiba” and “ahban.cychelloworld.” Which sound fake. Because they were.
Let’s break it down.
What Happened?
Researchers at ReversingLabs, a cybersecurity firm focused on software supply chain risk, found that both extensions included PowerShell scripts designed to connect silently to a remote AWS server. Once connected, they downloaded a second-stage payload—functioning ransomware, possibly in a staging or development phase.These extensions were available for download via the official VSCode Marketplace, which—shockingly—did not catch the behavior during submission.Timeline of Events
October 27, 2024 – “ahban.cychelloworld” is uploaded to the Marketplace
February 17, 2025 – “ahban.shiba” goes live
March 2025 – ReversingLabs reports the threat; Microsoft removes both extensions
They may have been test-stage malware, but they were live. Downloadable. In real developer environments.
Why This Matters to Developers and Organizations
VSCode is one of the most widely used code editors globally. Its extensions often have access to:
Local files and folders
Terminal commands and environment variables
Credentials, API tokens, and cloud configs
If one of those extensions is malicious, it can:
Encrypt your files and demand ransom
Steal secrets
Propagate through synced development environments or repos
This is a supply chain attack, plain and simple—just one layer closer to the humans building the software.
How to Protect Your Development Environment
These aren’t theoretical best practices anymore—they’re survival tools. Here’s what you need to be doing:
1. Audit Your Installed VSCode Extensions
Remove anything you don’t recognize, don’t use, or that looks sketchy. Be especially cautious with extensions that:
Have very low download counts
Use vague or meaningless publisher names
Appeared recently with no real history
2. Monitor Outbound Connections
Use endpoint tools that detect when VSCode (or its extensions) attempt to reach unexpected external IPs or download remote content.
3. Lock Down Permissions
Don’t run VSCode with admin rights unless you’re absolutely sure it’s necessary. Restrict PowerShell usage for non-admin users when possible.
4. Stay Informed
Subscribe to trusted sources like:
CISA Advisories
GitHub Security Advisories
ReversingLabs Threat Reports
Final Thoughts: Marketplace Trust Is on the Line
This wasn’t a rogue dependency buried in a backend library. This was ransomware—on a first-party extension marketplace—published under Microsoft’s nose.
If Microsoft wants to keep developer trust, it needs to:
Tighten extension review processes
Improve automated malware detection
Increase transparency when incidents like this occur
Until then, it's up to the rest of us to be skeptical, cautious, and a little paranoid.
Even your text editor can turn on you. Audit accordingly.