{"id":5717,"date":"2025-11-07T11:32:10","date_gmt":"2025-11-07T11:32:10","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5717"},"modified":"2025-11-07T11:32:10","modified_gmt":"2025-11-07T11:32:10","slug":"vibe-coded-ransomware-proof-of-concept-ended-up-on-microsofts-marketplace","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5717","title":{"rendered":"Vibe-coded ransomware proof-of-concept ended up on Microsoft\u2019s marketplace"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>In a suspected test effort, unknown actors have successfully embedded a strain of ransomware-style behavior, dubbed Ransomvibe, into extensions listed for Visual Studio Code.<\/p>\n<p>According to Secure Annex findings, the malicious code published to the VSCode extension marketplace was clearly <a href=\"https:\/\/www.csoonline.com\/article\/4053635\/when-ai-nukes-your-database-the-dark-side-of-vibe-coding.html\" target=\"_blank\" rel=\"noopener\">vibe-coded<\/a>, lacking any real sophistication.<\/p>\n<p>\u201cThis is not a sophisticated example as the command and control server code was accidentally(?) included in the published extension\u2019s package along with decryption tools,\u201d said Secure Annex\u2019s John Tuckner, adding that the extension included a \u201cblatantly malicious\u201d marketplace description.<\/p>\n<p>Despite the extension carrying obvious red flags, the code slipped past Microsoft\u2019s review filters and remains available even after being reported, Tuckner said in an <a href=\"https:\/\/x.com\/tuckner\/status\/1986232371650183204\" target=\"_blank\" rel=\"noopener\">X post<\/a>.<\/p>\n<p>The malicious code includes file encryption and theft capabilities.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Obvious AI-slop in the \u201cRansomvibe\u201d POC<\/h2>\n<p>According to Tuckner, the malicious Visual Studio Code extension, named \u201csuspicious VSX\u201d and published under the equally telling alias \u201cSuspicious publisher,\u201d was hiding its payload in plain sight.<\/p>\n<p>The extension, listed as \u201csuspublisher18.susvsex\u201d, included \u201cpackage.json\u201d that automatically activated on any event, even during installation, while offering command palette utilities to \u201ctest command and control\u201d functions. Inside the \u201cextension.js\u201d entrypoint, researchers found hardcoded variables including server URL, encryption keys, C2 destinations, and polling intervals. Most of these variables carried comments indicating the code was generated through AI.<\/p>\n<p>When triggered, the extension initiates compression and encryption of files inside a designated directory, uploading them to a remote command server.<\/p>\n<p>Tucker <a href=\"https:\/\/secureannex.com\/blog\/ransomvibe\/\" target=\"_blank\" rel=\"noopener\">noted<\/a> that the target directory was configured for testing, but could easily be swapped for a real filesystem path in a future update or by remote command. The extension contained two decryptors, one in Python and one in Node, along with a hardcoded decryption key, eliminating the possibility of malicious intent.<\/p>\n<h2 class=\"wp-block-heading\">Extension pointed to a GitHub-based C2<\/h2>\n<p>Ransomvibe deployed a rather unusual GitHub-based command-and-control (C2) infrastructure, instead of relying on traditional C2 servers. The extension used a private GitHub repository to receive and execute commands. It routinely checked for new commits in a file named \u201cindex.html\u201d, executed the embedded commands, and then wrote the output back into \u201crequirements.txt\u201d using a GitHub Personal Access Token (PAT) bundled inside the extension.<\/p>\n<p>Apart from enabling exfiltration of host data, this C2 behavior exposed the attacker\u2019s own environment, traces of which pointed to a GitHub user in Baku, whose time zone matched the system data logged by the malware itself.<\/p>\n<p>Secure Annex calls this a textbook example of AI-assisted malware development, featuring misplaced source files (including decryption tools and the attacker\u2019s C2 code) and a README.md file that explicitly describes its malicious functionality. But Tuckner argues that the real failure lies in Microsoft\u2019s marketplace review system, which failed to flag the extension.<\/p>\n<p>Microsoft said it had removed the extension from the marketplace. Every extension\u2019s page in the marketplace contains a \u201cReport Abuse\u201d link, and the company investigates all reports, it said; where the malicious nature of an extension is verified, or where a vulnerability is found in an extension dependency, the extension is removed from the marketplace, added to a block list, and automatically uninstalled by VS Code, it said. Enterprises wishing to prevent access to the marketplace can do so by <a href=\"https:\/\/code.visualstudio.com\/docs\/setup\/network#_common-hostnames\" target=\"_blank\" rel=\"noopener\">blocking specific endpoints<\/a>, it added.<\/p>\n<p>Recent incidents have shown that malicious or careless extensions are becoming a recurring problem in the Visual Studio Code ecosystem\u2013with some <a href=\"https:\/\/www.csoonline.com\/article\/4074948\/threat-actors-are-spreading-malicious-extensions-via-vs-marketplaces-2.html\">leaking credentials<\/a> and others quietly <a href=\"https:\/\/www.csoonline.com\/article\/4072829\/tigerjacks-malicious-vscode-extensions-mine-steal-and-stay-hidden.html\">stealing code or mining<\/a> cryptocurrency. Apart from a list of IOCs shared, Secure Annex released the Secure Annex Extension Manager, a tool designed to block known malicious extensions and inventory installed add-ons across an organization.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>In a suspected test effort, unknown actors have successfully embedded a strain of ransomware-style behavior, dubbed Ransomvibe, into extensions listed for Visual Studio Code. According to Secure Annex findings, the malicious code published to the VSCode extension marketplace was clearly vibe-coded, lacking any real sophistication. \u201cThis is not a sophisticated example as the command and [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":5712,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5717","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5717"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5717"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5717\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5712"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5717"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5717"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5717"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}