Malicious VSCode Extensions Found: Ransomware Hidden in Marketplace Tools

Visual Studio Code is the golden retriever of text editors—friendly, fast, and so widely used that developers forget it’s quietly gnawing on their security posture.

That trust got kicked in the teeth recently.

Cybersecurity researchers discovered ransomware hidden in two publicly available VSCode Marketplace extensions—extensions that were live for weeks or even months before Microsoft pulled them. The names? “ahban.shiba” and “ahban.cychelloworld.” Which sound fake. Because they were.

Let’s break it down.

What Happened?

Researchers at ReversingLabs, a cybersecurity firm focused on software supply chain risk, found that both extensions included PowerShell scripts designed to connect silently to a remote AWS server. Once connected, they downloaded a second-stage payload—functioning ransomware, possibly in a staging or development phase.These extensions were available for download via the official VSCode Marketplace, which—shockingly—did not catch the behavior during submission.Timeline of Events

• October 27, 2024 – “ahban.cychelloworld” is uploaded to the Marketplace

• February 17, 2025 – “ahban.shiba” goes live

• March 2025 – ReversingLabs reports the threat; Microsoft removes both extensions

They may have been test-stage malware, but they were live. Downloadable. In real developer environments.

Why This Matters to Developers and Organizations

VSCode is one of the most widely used code editors globally. Its extensions often have access to:

• Local files and folders

• Terminal commands and environment variables

• Credentials, API tokens, and cloud configs

  
  

If one of those extensions is malicious, it can:

• Encrypt your files and demand ransom

• Steal secrets

• Propagate through synced development environments or repos

This is a supply chain attack, plain and simple—just one layer closer to the humans building the software.

How to Protect Your Development Environment

These aren’t theoretical best practices anymore—they’re survival tools. Here’s what you need to be doing:

1. Audit Your Installed VSCode Extensions

Remove anything you don’t recognize, don’t use, or that looks sketchy. Be especially cautious with extensions that:

• Have very low download counts

• Use vague or meaningless publisher names

• Appeared recently with no real history

• 
  

2. Monitor Outbound Connections

Use endpoint tools that detect when VSCode (or its extensions) attempt to reach unexpected external IPs or download remote content.

3. Lock Down Permissions

Don’t run VSCode with admin rights unless you’re absolutely sure it’s necessary. Restrict PowerShell usage for non-admin users when possible.

4. Stay Informed

Subscribe to trusted sources like:

• CISA Advisories

• GitHub Security Advisories

• ReversingLabs Threat Reports

Final Thoughts: Marketplace Trust Is on the Line

This wasn’t a rogue dependency buried in a backend library. This was ransomware—on a first-party extension marketplace—published under Microsoft’s nose.

If Microsoft wants to keep developer trust, it needs to:

• Tighten extension review processes

• Improve automated malware detection

• Increase transparency when incidents like this occur

Until then, it's up to the rest of us to be skeptical, cautious, and a little paranoid.

Even your text editor can turn on you. Audit accordingly.