Ransomvibe
Ransomvibe is a ransomware-style malicious payload embedded in a Visual Studio Code extension discovered by Secure Annex. Researchers identified it in a malicious extension listed in the VS Code Marketplace, including names such as 'suspublisher18.susvsex' / 'suspicious VSX,' published under a 'Suspicious publisher' alias. Upon activation, the extension executed a function named 'zipUploadAndEcnrypt,' which performed ransomware-typical behavior including file encryption and data exfiltration. The package was configured via package.json to activate broadly, including on installation or any event, and extension.js contained hardcoded server URLs, encryption keys, command-and-control targets, and polling intervals. Ransomvibe used a GitHub-based C2 model, polling an index.html file in a private repository for commands and writing results to requirements.txt using a bundled GitHub Personal Access Token. The package also contained Python and Node-based decryptors and a hardcoded decryption key, indicating low sophistication and possible test or proof-of-concept use. Researchers also noted signs of AI-generated code. The target directory for encryption was reportedly set to a test environment, but the extension could be updated or remotely controlled for broader impact. Secure Annex reported that the package README and marketplace description openly described malicious functionality, yet it still bypassed Microsoft's marketplace review process. Microsoft later removed the extension. High-confidence indicators and artifacts mentioned in the reporting include the function name 'zipUploadAndEcnrypt,' the malicious extension names 'suspublisher18.susvsex' / 'suspicious VSX,' GitHub-based C2 using index.html and requirements.txt, bundled decryptors in Python and Node, and a hardcoded decryption key. Evidence from the exposed attacker environment pointed to a GitHub user in Baku, though attribution to a known threat actor was not established.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomvibe is a ransomware embedded in a Visual Studio Code extension. Once activated, it performs typical ransomware functions such as encrypting files and exfiltrating data. It uses a GitHub-based command-and-control infrastructure and contains hardcoded decryption tools and keys, indicating a lack of sophistication and possible AI-generated code.
Ransomvibe is a proof-of-concept malware embedded in a Visual Studio Code extension, exhibiting file-encrypting (ransomware) and data-stealing capabilities. It compresses and encrypts files in a designated directory and uploads them to a remote command server. The extension also features a GitHub-based command-and-control infrastructure and includes both decryption tools and hardcoded keys, suggesting it was a test or demonstration rather than a fully operational threat.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.