Ransomvibing is a malicious Visual Studio Code extension with built-in ransomware functionality that was discovered in the VS Code marketplace. It was reportedly published as an extension named "suspicious VSX" by the publisher "suspicious publisher" and bypassed Microsoft's review process. The malware encrypts files, exfiltrates data, and uses GitHub as a command-and-control channel. Reported behavior indicates it targeted only a test directory by default. Supporting reporting also states that the developer accidentally leaked decryption keys and system information via the C2 channel. The available content identifies it specifically as a ransomware-capable malicious VS Code extension; no additional high-confidence attribution, victimology, or broader targeting details are provided.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware discovered embedded within Visual Studio Code extensions, capable of encrypting files on infected systems.
Ransomware distributed as a malicious VS Code extension that encrypts files, uses GitHub for command and control, and exfiltrates data. It appears to be AI-generated and was sloppily implemented, with decryption keys and instructions left in the README.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.