What's Happening?
Cybersecurity researchers have uncovered a campaign involving 19 Visual Studio Code extensions embedding malware within their dependency folders. Active since February 2025 and identified on December 2,
the operation utilized a legitimate npm package to disguise harmful files, bundling malicious binaries inside an archive masquerading as a PNG image. This method allowed attackers to bypass conventional checks and directly target developers. ReversingLabs, the cybersecurity firm that discovered the campaign, noted a rise in suspicious uploads to the VS Code Marketplace throughout 2025. Some extensions imitated popular tools, while others advertised new features but secretly executed unwanted code. The attackers embedded a modified version of the npm package path-is-absolute inside the extensions’ node_modules folders, which is widely used with over 9 billion downloads since 2021. The altered version included a class designed to trigger malware when VS Code starts, decoding a JavaScript dropper stored in a file named 'lock.'
Why It's Important?
The discovery of malware in Visual Studio Code extensions highlights a growing threat to developers and the software supply chain. As developers increasingly rely on third-party extensions to enhance their coding environments, the risk of malicious code being introduced into trusted components becomes significant. This campaign underscores the need for rigorous security measures and auditing of extensions before installation. The potential impact on the software development industry is substantial, as compromised extensions can lead to data breaches, intellectual property theft, and disruption of development processes. The rise in detections from 27 in 2024 to 105 in the first 10 months of 2025 indicates an escalating threat landscape, necessitating enhanced vigilance and security practices among developers and organizations.
What's Next?
To mitigate risks, developers and organizations are encouraged to inspect extensions before installation, audit all bundled dependencies, and utilize security tools capable of evaluating package behavior. ReversingLabs has reported all the mentioned extensions to Microsoft, which may lead to further investigations and potential removal of malicious extensions from the marketplace. As the threat landscape evolves, developers must remain proactive in securing their development environments and stay informed about emerging threats and best practices in cybersecurity.
