Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 15 December 2025 07:15
A sophisticated malware campaign has been detected within the Visual Studio Code (VS Code) marketplace. Researchers at ReversingLabs (RL) have identified 19 malicious extensions that successfully evaded standard detection methods by deeply hiding their payloads within dependency folders.
Active since February 2025, it uses a clever combination of typosquatting-adjacent techniques and steganography to compromise developers’ computers.
“The malicious files abused a legitimate npm package to evade detection and created an archive containing malicious binaries that masqueraded as an image – a file with the PNG extension,” the researchers reported.
To further obscure their tracks, the attackers used a deceptive file called banner.png . Although it looked like a standard image file for presenting the extension on the marketplace, it was actually a modified archive.
The attack chain begins when the compromised dependency’s index.js file is executed when VS Code launches. It activates a hidden class that decodes a JavaScript dropper from a file simply named lock . This dropper then extracts the payload from the fake PNG file.
The way VS Code extensions handle their core components is what makes this attack ingenious. Unlike traditional npm projects that download dependencies on the fly, VS Code extensions come with a pre-built node_modules folder containing all the required libraries.
This structure allows the extensions to work “ out of the box,” but it also offered attackers a perfect hiding place, the researchers report.
For this campaign, the threat actors took the wildly popular path-is-absolute package, a library with over 9 billion downloads, and modified it locally within their malicious extensions. They didn’t touch the official package in the npm registry; instead, they tampered with the version included in their extension.
“By doing so, the threat actor is turning a popular and otherwise secure package into a ticking time bomb, ready to explode as soon as one of the malicious extensions is used,” the report states. “The banner.png file, as it turned out, was not an image file. Instead, it was an archive containing two malicious binaries.”
Once unpacked, the malware doesn’t just execute—it exploits the system against itself. The decoded dropper executes malicious binaries using cmstp.exe, a legitimate Microsoft Connection Manager profile installer often used by hackers as the “Living Off the Land” (LOLBIN) binary to bypass security controls.
While most of the identified extensions abused the path-is-absolute package, researchers noticed that four extensions used a different vector, modifying the @actions/io package and hiding payloads in TypeScript (.ts) and sourcemap (.map) files instead of the fake image.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
Redazione