Malicious Visual Studio Code Extensions Distribute Trojan via Fake PNG Files
Security researchers at ReversingLabs have identified a sophisticated campaign in which 19 malicious Visual Studio Code (VS Code) extensions were uploaded to the VS Code Marketplace, targeting developers by hiding a Trojan within their dependency folders. The attackers modified a widely trusted npm package, path-is-absolute, to include malicious code that executed upon VS Code startup, ultimately decoding a JavaScript dropper concealed in a file named lock. The final payload was disguised as a banner.png file, which, despite its image extension, was actually an archive containing two malicious binaries. This campaign, active since February 2025 and discovered in December, highlights the risks of supply chain attacks in developer ecosystems.
The malicious extensions either impersonated popular packages or claimed to offer new functionalities, but in reality, they executed harmful code on developers' machines. The use of legitimate dependencies as a vector for malware delivery demonstrates an evolution in threat actor tactics, making detection more difficult. Researchers also noted a broader trend of increasing malware submissions to the VS Code Marketplace, including incidents where legitimate extensions were compromised through malicious pull requests that added harmful dependencies. This incident underscores the need for heightened scrutiny of third-party code and dependencies in development environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Microsoft removes the identified malicious extensions
Following the report, all identified malicious extensions were removed from the VS Code Marketplace. Users who had installed them were advised to scan their systems for signs of compromise.
ReversingLabs reports 19 malicious extensions to Microsoft
After identifying the campaign, ReversingLabs reported all 19 malicious extensions to Microsoft. The researchers also published indicators of compromise to help defenders investigate potential infections.
ReversingLabs discovers the malicious extension campaign
In December 2025, ReversingLabs researchers identified the long-running campaign affecting the VS Code Marketplace and analyzed how the extensions hid malware in dependency folders. The researchers also noted a broader rise in malicious VS Code extensions during 2025 compared with 2024.
Attackers weaponize bundled npm dependencies to deploy trojan
The malicious extensions bundled modified dependency folders, including trojanized versions of the npm packages 'path-is-absolute' and in some cases '@actions/io'. When VS Code started, the altered code executed a JavaScript dropper that deployed malware, including binaries disguised as a PNG file, a Rust-based trojan, and use of LOLBINs such as cmstp.exe.
Malicious VS Code extension campaign begins on Marketplace
A campaign involving 19 malicious Visual Studio Code Marketplace extensions became active in February 2025, targeting developers through trojanized extensions. The extensions were published as version 1.0.0 and included names such as Malkolm Theme, PandaExpress Theme, Prada 555 Theme, and Priskinski Theme.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Malicious Visual Studio Code Extensions Hide Trojan in Fake PNG Files
hackread.com
Open sourceMalicious VSCode Marketplace extensions hid trojan in fake PNG file
bleepingcomputer.com
Open sourceVS Code extensions use fake image containing a trojan
reversinglabs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious VS Code Extensions Delivering Ransomware and Cryptomining Payloads
Malicious Visual Studio Code extensions have been discovered on the official marketplace, delivering both ransomware and cryptomining malware to unsuspecting users. One extension, identified as `suspublisher18.susvsex`, was found to contain ransomware functionality, including file encryption, exfiltration for extortion, and the use of GitHub as a command and control channel. The extension's package even included the command and control server code and decryption tools, suggesting a lack of sophistication but highlighting the ease with which such threats can bypass marketplace review processes. The ransomware was initially configured to target a test directory, but this could be easily changed in future updates, posing a significant risk to developers. In addition to ransomware, several other malicious VS Code extensions have been used to deploy cryptomining malware, particularly targeting users interested in coding themes and AI capabilities. Extensions published by "DevelopmentInc" masqueraded as legitimate tools, such as a Pokémon-themed syntax highlighter, but instead downloaded and executed Monero cryptominers. These payloads disabled Windows Defender, escalated privileges, and established persistence on infected systems. Although the identified malicious extensions have been removed from the marketplace, security researchers warn that similar threats may reappear, urging developers to remain vigilant when installing third-party extensions.
Mar 21, 2026
Malicious VS Code Extensions Delivering Trojan Payloads via Impersonation and Encrypted Loaders
Security researchers reported **malicious Visual Studio Code extensions** being used as a software supply-chain vector to compromise developer workstations. One campaign impersonated a viral AI coding assistant (“**ClawdBot**”) via a fake extension (“ClawdBot Agent”) that appeared legitimate and even functioned as an AI assistant by integrating real APIs (e.g., OpenAI/Anthropic/Google), while **silently dropping malware on Windows at VS Code startup**. The observed payload delivery used camouflage filenames such as `Lightshot.exe` (and references to `Lightshot.dll`) and an Electron-style bundle name `Code.exe`, indicating an effort to blend into common developer tooling and evolve the dropper over time. A separate finding described an **Open VSX** extension masquerading as a popular **Angular Language Service** for VS Code, which bundled legitimate dependencies (e.g., `@angular/language-service` and `typescript`) alongside a **malicious loader** that activates when users open HTML or TypeScript files (`onLanguage:html`, `onLanguage:typescript`). The loader decrypts an embedded payload using **AES-256-CBC** (Node.js `crypto`), with a hardcoded IV and a large hex-encoded ciphertext, then delays and executes the decrypted code—behavior consistent with staged malware delivery and potential worm-like propagation through widely installed editor extensions.
Mar 21, 2026
Malicious Visual Studio Code Extensions Distribute Infostealer Malware
Security researchers have identified two malicious extensions on the Microsoft Visual Studio Code Marketplace, named *Bitcoin Black* and *Codo AI*, which were designed to infect developer machines with information-stealing malware. These extensions, published under the developer name 'BigBlack', masqueraded as a premium dark theme and an AI-powered coding assistant, but secretly downloaded additional payloads, took screenshots, and exfiltrated sensitive data such as code, emails, Slack messages, WiFi passwords, clipboard contents, and browser sessions to attacker-controlled servers. Microsoft has since removed these extensions from the marketplace after their discovery, but not before they were downloaded and installed by several users. The malware leveraged PowerShell and batch scripts to download and execute payloads, with later versions hiding execution windows to evade user detection. Technical analysis revealed that both extensions delivered a legitimate Lightshot screenshot tool alongside a malicious DLL, which was loaded via DLL hijacking to deploy the infostealer under the name `runtime.exe`. The malicious DLL was detected by multiple antivirus engines and created persistence by establishing directories in the `%APPDATA%\Local\` path. The Codo AI extension embedded its malicious code within a functioning tool, making it harder to detect, while Bitcoin Black activated on every VS Code action. The campaign highlights the risks of third-party extensions in developer environments and the need for vigilance when installing tools from public marketplaces.
Mar 21, 2026