A malicious Visual Studio Code (VS Code) extension has been flagged by cybersecurity researchers due to its basic ransomware capabilities. The extension, which appears to have been created with the help of artificial intelligence—a practice dubbed “vibe-coding”—was identified shortly after its upload to the official marketplace. Secure Annex researcher John Tuckner, who initially discovered the threat, noted that the extension, named “susvsex,” made no attempts to hide its harmful functionality. It was uploaded on November 5, 2025, by a user named “suspublisher18” with a casual description, “Just testing,” and an obviously fake email address.
The extension’s listed description explicitly detailed its actions, stating it “Automatically zips, uploads, and encrypts files from C:\Users\Public\testing (Windows) or /tmp/testing (macOS) on first launch.” This highly concerning behavior prompted Microsoft to take swift action, and the extension was removed from the official VS Code Extension Marketplace on November 6. According to the developer’s shared details, the extension was designed to automatically activate itself upon any event, such as installation or the launch of VS Code.
Once activated, the extension invokes a function called “zipUploadAndEncrypt.” This function is responsible for creating a compressed ZIP archive of a specified target directory, uploading and exfiltrating this archive to a remote server, and then replacing the original files on the user’s machine with their encrypted versions. Fortunately, according to Tuckner, the TARGET_DIRECTORY was initially configured to a benign test staging directory. He noted that while this limited its immediate impact, the target directory could be easily updated in a subsequent extension release or via a command sent through its command-and-control (C2) channel.
Beyond the core encryption and exfiltration, the malicious extension also leverages GitHub for its command-and-control infrastructure. It operates by continuously polling a private GitHub repository to check for and execute any new commands. It achieves this by parsing the repository’s “index.html” file for instructions. After executing a command, the extension writes the results back to the same repository into a “requirements.txt” file, using a GitHub access token that was carelessly embedded within its code.
The associated GitHub account, “aykhanmv,” remains active, with the user claiming to be based in Baku, Azerbaijan. Tuckner highlighted several key indicators of the malware’s hasty, AI-assisted development, or “vibe-coded” nature. These signs included extraneous comments that detailed the functionality, README files with execution instructions, and placeholder variables. Critically, the extension package was found to have accidentally included vital components such as decryption tools, the command and control server code, and the GitHub access keys for the C2 server, which could potentially allow others to compromise or take over the C2 infrastructure.
Reference:
