Full Report
Cybersecurity researchers have flagged a malicious Visual Studio Code (VS Code) extension with basic ransomware capabilities that appears to be created with the help of artificial intelligence – in other words, vibe-coded. Secure Annex researcher John Tuckner, who flagged the extension "susvsex," said it does not attempt to hide its malicious functionality. The extension was uploaded on
Analysis Summary
This summary focuses on the malicious Visual Studio Code extension described in the context, as well as the related Vidar Stealer activity mentioned.
# Tool/Technique: susvsex (Malicious VS Code Extension)
## Overview
A malicious Visual Studio Code (VS Code) extension named "susvsex" flagged by researchers. It exhibits basic ransomware capabilities, designed to automatically zip, upload, and encrypt test files on Windows and macOS upon first launch or when VS Code is started. Its creation is noted as potentially being assisted by Artificial Intelligence ("vibe-coded").
## Technical Details
- Type: Malware (Ransomware/Infostealer component)
- Platform: Windows, macOS (targeting VS Code users)
- Capabilities: File encryption, data exfiltration, C2 communications via GitHub.
- First Seen: November 5, 2025
## MITRE ATT&CK Mapping
- TA0011 - Collection
- T1005 - Data from Local System (Implied by targeting C:\Users\Public\testing or /tmp/testing)
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel (Via ZIP upload to remote server)
- TA0005 - Defense Evasion
- T1564.003 - Hide Contents: Hard Drive (By replacing original files with encrypted versions)
- TA0011 - Command and Control
- T1105 - Ingress Tool Transfer (Implied, if C2 delivers secondary payload/decryption key)
## Functionality
### Core Capabilities
- **Automatic Activation:** Triggers the malicious function (`zipUploadAndEncrypt`) immediately upon VS Code installation or launch.
- **Data Staging:** Targets specific test directories (`C:\Users\Public\testing` or `/tmp/testing`).
- **Compression & Exfiltration:** Automatically creates a ZIP archive of the target files, uploads the archive to a remote server, and deletes the originals.
- **Encryption:** Replaces the original files with their encrypted versions (basic ransomware functionality).
### Advanced Features
- **GitHub C2:** Uses a private GitHub repository (polling `index.html`) as a Command and Control channel to receive new commands.
- **Result Feedback:** Writes command execution results back to the same GitHub repository in the `requirements.txt` file.
- **Credential Leakage:** Accidentally included decryption tools and an embedded GitHub access token for the C2 server within the extension package.
- **Vulnerability to Takeover:** The inclusion of decryption tools and access keys means the C2 infrastructure could be compromised by others.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in context]
- File Names: `susvsex` (Extension/Package name)
- Registry Keys: [Not applicable/provided for VS Code extensions]
- Network Indicators: Remote server for ZIP upload (C2 server details not fully provided, other than the GitHub structure).
- Behavioral Indicators: Invocation of `zipUploadAndEncrypt`; creating a ZIP archive in a targeted directory; network connections upon launch; interacting with GitHub repositories.
## Associated Threat Actors
- Unnamed entity "suspublisher18" (Uploader) and "aykhanmv" (GitHub account owner in Azerbaijan). The "vibe-coded" nature suggests development potentially assisted by AI, but no established APT group is directly linked.
## Detection Methods
- **Signature-based detection:** Detecting the presence of the `susvsex` extension package or known file components.
- **Behavioral detection:** Monitoring VS Code extension initialization processes for unauthorized file compression, exfiltration activities, or unexpected outbound network connections immediately after installation/launch.
- **YARA rules:** Not provided, but could be developed targeting strings related to "zipUploadAndEncrypt" or embedded GitHub tokens.
## Mitigation Strategies
- Rely only on trusted, verified extensions from the official marketplace.
- Regularly audit installed VS Code extensions.
- Implement network egress filtering to monitor or block suspicious uploads to unknown destinations.
- Educate developers on the dangers of supply chain risks in open-source ecosystems.
## Related Tools/Techniques
- **Vidar Stealer (via npm supply chain):** Mentioned in the context as a concurrent supply chain attack using trojanized npm packages to drop Vidar Stealer, demonstrating parallel threats in the developer ecosystem.
***
# Tool/Technique: Vidar Stealer (Distributed via npm)
## Overview
Vidar Stealer, an information stealer, was observed being distributed via 17 trojanized npm packages, marking its first known distribution vector via the npm registry. These packages executed the stealer via postinstall scripts in the supply chain attack cluster tracked as MUT-4831.
## Technical Details
- Type: Malware (Information Stealer)
- Platform: Unknown (Payload execution likely targets Windows based on PowerShell usage mentioned)
- Capabilities: Information theft, C2 communication via dead drops.
- First Seen: October 21, 2025 (for the npm packages)
## MITRE ATT&CK Mapping
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel
- TA0009 - Collection
- T1005 - Data from Local System
- TA0001 - Initial Access
- T1195.002 - Compromise Software Supply Chain: Compromise Software Publicly Available Component (npm package)
## Functionality
### Core Capabilities
- **Supply Chain Compromise:** Packages provided legitimate functionality while hiding malicious code in an execution script.
- **Postinstall Execution:** The malicious payload is executed automatically via a script defined in `package.json`.
- **Payload Delivery:** Deploys a ZIP archive from an external server (`bullethost[.]cloud`) and executes the contained Vidar executable.
### Advanced Features
- **Diversified Execution:** Used both embedded PowerShell scripts and JavaScript files within the package to download and execute the primary payload, potentially for detection evasion.
- **Dead Drop C2:** Vidar 2.0 samples use hard-coded Telegram and Steam accounts as "dead drop resolvers" to communicate and fetch the actual C2 server address.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in context]
- File Names: Vidar executable
- Registry Keys: [Not applicable/provided]
- Network Indicators: `bullethost[.]cloud` (External server hosting the ZIP archive).
- Behavioral Indicators: Execution of postinstall scripts in npm packages; downloading ZIP archives from external domains upon installation.
## Associated Threat Actors
- Threat actors associated with the npm accounts "aartje" and "saliii229911" (accounts have since been banned). The Vidar Stealer capability itself is linked to existing Vidar operations.
## Detection Methods
- **Signature-based detection:** Detecting the Vidar executable hash.
- **Behavioral detection:** Monitoring `node` installations or npm processes for execution of unusual postinstall scripts, especially those initiating network connections to download executables.
- **YARA rules:** Not provided.
## Mitigation Strategies
- Developers must rigorously inspect `package.json` for suspicious or complex `postinstall` scripts before installation.
- Implement dependency review processes to vet new or lesser-known packages.
- Disable/restrict automatic package execution features where possible.
## Related Tools/Techniques
- General Supply Chain Attacks (Affecting npm, PyPI, RubyGems, Open VSX).