VSCode’s Comedy of Errors: Malware Masquerades as Themes, Targets Devs

VSCode Marketplace has been housing a sneaky malware campaign with 19 malicious extensions since February. These extensions contain hidden malware posing as a .PNG image and are bundled with a modified dependency. If you’ve installed these, it’s time to channel your inner Sherlock and scan for malware, as they’ve been removed.

3P
Published: December 11, 2025 9:01 pmAdded: December 11, 2025 at 1:26 pmAssembled by: The Editor
Pro Dashboard

Hot Take:

Who knew that developing code could be as risky as playing Minesweeper on hard mode? With malware lurking in dependency folders like a ninja in the night, developers better start checking their extensions as thoroughly as a TSA agent at an airport. Microsoft might have pulled the plug on this campaign, but it seems like VSCode is the new hot spot for cyber shenanigans. Who needs drama when you have software supply-chain attacks?

Key Points:

  • 19 malicious VSCode extensions have been removed after being discovered.
  • Malware was cleverly disguised as a .PNG image and hidden in dependency folders.
  • The extensions used popular npm package names like ‘path-is-absolute’ to fly under the radar.
  • ReversingLabs found that the campaign utilized a Rust-based trojan and a LoLBin.
  • Developers are advised to thoroughly inspect extensions before installing them from non-reputable sources.

Malicious Extensions: The New Code Red

In a plot twist worthy of a tech thriller, 19 VSCode extensions were caught red-handed, sneaking malware into the lives of unsuspecting developers. These stealthy little digital miscreants were hiding in the shadows since February, all while posing as harmless extensions with names like “Malkolm Theme” and “PandaExpress Theme.” Who knew malicious intent could come with such cute names? It’s almost like naming your pet snake “Fluffy.”

Packing a Punch in a .PNG Package

The malware—because why settle for a boring old virus when you can have a trojan?—was cleverly concealed as a .PNG image inside a dependency folder. This sneaky tactic was like serving a Trojan horse with a side of fries. The malicious payload included not just any malware, but the crème de la crème of cyber mischief: a living-off-the-land binary (LoLBin) and a Rust-based trojan. It seems the bad guys have been taking notes from James Bond on how to be suave and sophisticated.

The Not-So-Innocent ‘path-is-absolute’

Ah, the ‘path-is-absolute’ package—sounds innocent enough, right? Turns out, it’s been downloaded over 9 billion times since 2021, making it as popular as cat videos on the internet. However, the weaponized version was only found in these naughty extensions. It’s like finding out your favorite brand of potato chips has been secretly adding ghost peppers to the mix. This digital sleight of hand involved adding a new class to the ‘index.js’ file, which automatically executed the malware upon launching VSCode. Talk about a surprise party you didn’t want to attend!

Microsoft Saves the Day (Again)

Once ReversingLabs blew the whistle, Microsoft swooped in like a caped crusader, removing the offending extensions faster than you can say “cybersecurity breach.” Meanwhile, BleepingComputer confirmed that these extensions have been banished to the shadow realm of the internet. But the battle is far from over. Developers who had the misfortune of installing these dastardly extensions are advised to scan their systems for signs of compromise. Because there’s nothing like a little paranoia to spice up your day, right?

Lessons in Vigilance: Inspect Before You Click

In the ever-evolving game of cat and mouse between developers and cybercriminals, one thing is clear: vigilance is key. The smart folks over at ReversingLabs recommend thoroughly inspecting packages before installation, especially when the source isn’t as reputable as your grandma’s cookie recipe. And remember, if an extension comes with a bundled ‘node_modules’ folder, it’s worth taking a second look. Because you never know when your harmless-looking extension might just be a wolf in sheep’s clothing.

In conclusion, while Microsoft and the cybersecurity community continue to fight the good fight, developers must stay on their toes. Who needs action movies when the world of coding is already packed with suspense and drama? So, dear developers, keep your wits about you, and don’t forget to scan your systems—because you never know when a seemingly innocent .PNG might just be plotting your digital downfall.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?