Code Under Siege: Malicious Extensions Infiltrate Visual Studio Code Marketplace

It started as a whisper among cybersecurity circles: something was off in the world’s most popular code editor. By the time researchers at ReversingLabs blew the whistle, the scale of the sabotage was clear. The Visual Studio Code (VS Code) marketplace, a digital bazaar trusted by millions of developers, had become a Trojan horse - smuggling sophisticated malware right into the heart of the global software supply chain.

Inside the Attack: How VS Code Became a Malware Delivery System

The attack was as ingenious as it was insidious. Rather than targeting the official npm package registry, threat actors injected their code into the dependency folders bundled inside VS Code extensions - bypassing the usual security checks by hiding in plain sight. The extensions appeared legitimate, but their node_modules directories contained doctored versions of popular libraries, including the widely used path-is-absolute.

Central to the scheme was a file named banner.png. Far from being a harmless image, this file was a cleverly disguised archive packed with two malicious binaries. When an infected extension was installed and VS Code launched, a compromised script (index.js) silently activated. It decoded a JavaScript dropper from a file called lock, which then extracted and executed the real payload from the fake PNG file.

The attackers didn’t stop at image-based deception. In some cases, they hid their code inside TypeScript files and sourcemaps, or manipulated alternative packages like @actions/io. The final stage of the attack weaponized cmstp.exe - a legitimate Microsoft utility - allowing the malware to run with minimal suspicion and evade endpoint security tools.

This campaign’s brilliance lay in its abuse of how VS Code extensions are packaged: unlike many npm projects that fetch dependencies on install, extensions ship with all their libraries inside. This “out of the box” convenience became a perfect smokescreen for attackers, who could inject malicious code without altering upstream packages or raising red flags in public repositories.

What This Means for Developers - and the Software Supply Chain

The breach underscores a sobering truth: even the most trusted development platforms are not immune to creative supply chain attacks. Developers - often considered the guardians of software integrity - have now become prime targets. As extension marketplaces grow, so does the attack surface, demanding new levels of vigilance from both platform maintainers and users.

The incident is a wake-up call for the entire coding community: security is only as strong as its weakest link, and sometimes, the enemy is hiding right inside your favorite tools.