Security researchers have uncovered a significant threat targeting developers through the VS Code Marketplace. A coordinated campaign involving 19 malicious extensions has been actively infiltrating the platform, with the attack remaining undetected since February 2025. <\/p>\n
These deceptive extensions carry hidden malware in their dependency folders, designed to evade security detection and compromise developer machines.<\/p>\n
The campaign showcases how attackers have shifted their approach to target the software supply chain. Rather than deploying obvious threats, the threat actors created extensions that either impersonate legitimate packages or claim to offer genuine features. <\/p>\n
Once installed, these extensions activate malicious code<\/a> silently in the background. What makes this campaign particularly sophisticated is the method of concealment\u2014the attackers embedded executable files within what appeared to be harmless image files, specifically PNG files. <\/p>\n This approach creates an additional layer of deception, as developers would not suspect a graphic file of containing executable code.<\/p>\n The threat emerges from a worrying trend. In the first ten months of 2025 alone, malware detections on VS Code almost quadrupled compared to 2024, rising from 27 to 105 instances. <\/p>\n This sharp increase indicates that the VS Code Marketplace has become an increasingly attractive target for malicious actors seeking to reach developer communities.<\/p>\n ReversingLabs security analysts identified<\/a> that the malware exploits the way VS Code extensions are structured. <\/p>\n Extensions come pre-packaged with all their dependencies in a node_modules folder, allowing them to run without needing to download additional components. <\/p>\n The researchers discovered that the attackers weaponized the popular \u201cpath-is-absolute\u201d npm package, which has accumulated over 9 billion downloads since 2021. <\/p>\n By adding malicious code to this dependency within their extensions, they turned a trusted component into a delivery mechanism for the trojan.<\/p>\n The infection process begins when VS Code starts up. The modified package\u2019s index.js file contains a new class that automatically triggers upon launch. <\/p>\n This class decodes a JavaScript<\/a> dropper concealed inside the malicious banner.png file. The dropper itself was hidden through base64 encoding and string reversal, making manual analysis difficult. <\/p>\n When executed, this dropper deploys two malicious binaries using cmstp.exe, a legitimate Windows tool<\/a> that attackers abuse. <\/p>\n One binary manages the attack process, while the other is a more sophisticated Rust-based trojan whose full capabilities were still under investigation at the time of discovery. <\/p>\n Four extensions in the campaign used alternative methods, splitting the binaries into separate .ts and .map files rather than concealing them in PNG archives.<\/p>\n Development teams should immediately audit their installed extensions, verify their sources, and employ security scanning<\/a> tools before installation to prevent compromise.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Hackers Infiltrate VS Code Marketplace with 19 Malicious Extensions Posing as PNG File<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Difference](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjXwok00c4fMaWkV8IFwIZ1XekXWj0AV1CeyK1DqVpcLq5EkTW1kPDHtQOA6-_wbNDhoWJxrRqY2wtpG_SDVWyGHdSFjdcvjgayHmypAzqXALETfNREljnW6ku026K6EmM0F1BFVaURWskKdzEOFVCRthdKVe_vjNzhoPEaTmsWiZGhQx6FdCtYAVwdVss\/s16000\/Difference%2520between%2520original%2520%27path-is-absolute%27%2520package%2520and%2520the%2520modified%2520one%2520%28Source%2520-%2520Reversing%2520Labs%29.webp?ssl=1\")
Technical Infection Mechanism<\/strong><\/h2>\n
![\"Malicious](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgVToPFuwalQCfaEbttLAI-5Z_kzniohdxZyzaAIprGBngHzUkQGcaFH38gaStQEuaHRZ0KdBmODch9dgUuk3-kcgcSSUD78y_Z-xWWN8XFTs6U-vQLbJev6L5VJ1Lt5CZ7HZ1bn1JIYmxOmjeybUa_aHW57IeCkotPCMlFo2zII580bFfAZqrkdXvdMAM\/s16000\/Malicious%2520code%2520being%2520added%2520to%2520index.js%2520of%2520the%2520%27path-is-absolute%27%2520npm%2520package%2520%28Source%2520-%2520Reversing%2520Labs%29.png?ssl=1\")
![\"Decoded](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhrxhM-5jOW06WODECK4jqp2tPuXHGa0j5-Eb35Hluz1IG3BTODeNPqCpg8cWZKrH6ubI9kLYvX-57rb_pfSTLWdiMM87gIgrQvhP94eaGm_HQxa5cRR-kqPIsNuzxvRByLwpbTQYb9vSQWzPZO0KKL-zjkKDP5O1yF4cT826veMJt6rEqXP49N3v3RqYw\/s16000\/Decoded%2520payload%2520of%2520the%2520%27lock%27%2520file%2520%28Source%2520-%2520Reversing%2520Labs%29.png?ssl=1\")