News

Threat Actors Keep Weaponizing VS Code Extensions

• By David Ramel
• 12/08/2025

Threat actors continue to probe Visual Studio Code's extension ecosystem, and a late November incident shows how quickly a trusted developer tool can be turned into a supply chain beachhead.

In a multi-stage attack chain documented last week by Hunt.io, attackers slipped a fake Prettier formatter into the official VS Code Marketplace, using it to deliver a loader and ultimately a full remote access trojan (RAT). The extension was removed within hours, but the technique mirrors a growing pattern of malicious activity aimed squarely at developers.

Hunt.io is a threat hunting and intelligence platform that helps security teams discover and track attacker infrastructure (like C2 servers and IOCs) using high-fidelity scanning data and analyst tooling.

The firm said: "This attack highlights a supply-chain compromise targeting developers, abusing the trust in VSCode extensions to deliver multi-stage malware."

Here are the details:

What Happened: A Fake Prettier Extension As The Entry Point
In late November 2025, Hunt.io threat hunters traced suspicious VBScript payloads back to a GitHub repository named "vscode" operated by an account using the handle biwwwwwwwwwww. The repository looked benign at first glance, but it was supporting a VS Code supply chain attack. The attacker published a malicious extension called "prettier-vscode-plus" under the publisher account "publishingsofficial," intentionally impersonating the legitimate Prettier formatter. The extension appeared on Nov. 21, 2025, and was taken down roughly four hours later after limited uptake. Still, those short windows of trust can be enough to seed infections, especially in organizations where extension installs are automated or where developers frequently try new tooling.

The attack was notable for combining a familiar brandjacking approach with a polished multi-stage malware chain. The extension did not just drop a single payload; instead, it initiated a layered sequence designed to stay stealthy, avoid static detection, and gain durable control of infected endpoints.

The activity has not been publicly attributed to a known threat group. The GitHub handle and repository naming strongly suggest a deliberate attempt to blend into developer workflows, lowering the chance that outbound connections or downloads appear anomalous in logs. The "prettier-vscode-plus" branding leverages a formatter trusted by millions, maximizing the odds of a click-and-install event.

The timing aligns with a broader 2025 trend of attackers publishing IDE extensions as a low-friction path into developer environments. Developers often run with elevated privileges, hold access tokens for package registries and source repositories, and sit close to build pipelines and production secrets. A compromised IDE is therefore a high-leverage entry point for credential theft, lateral movement, or follow-on supply chain compromise.

How VS Code Extensions Have Been Used Before
This Prettier impersonation is not an outlier. Several recent incidents, documented by original researchers and security teams, show a consistent playbook.

GlassWorm spreading through extension marketplaces. Security researchers at Koi Security documented a self-propagating worm they dubbed GlassWorm, which spread through both the Open VSX Registry and Microsoft's marketplace. The researchers found malicious extensions hiding payloads with invisible Unicode characters, making the code hard to notice during casual review. Once installed, GlassWorm harvested npm, GitHub, Git, and Open VSX credentials and used them to push more infected packages, turning each victim into a new propagation node. The campaign also deployed RAT and proxy capabilities, effectively converting developer machines into infrastructure for further crime.

Ransomware-style proof of concept extensions. Secure Annex researcher John Tuckner reported that multiple marketplace extensions contained ransomware-like behavior, including zipping files, uploading them, and encrypting local content. The samples appeared low sophistication, but they demonstrated that malicious actors are actively testing how far they can go inside official tooling channels and how quickly defenses respond.

Icon theme trojanization with Rust implants. Nextron Systems published a detailed analysis after discovering a malicious extension posing as "Material Icon Theme." The trojanized package embedded Rust-based native implants for Windows and macOS and used an extension-side loader to execute them on activation. The implants pulled commands from resilient infrastructure, decoded them, and fetched additional encrypted stages, with multiple fallbacks to keep control channels alive. Nextron noted that the attackers mirrored the legitimate extension's directory structure to keep the implants inconspicuous.

Each incident uses a different payload, but the approach repeats: impersonate a known tool or theme, publish through a marketplace users trust, and leverage extension runtime permissions to execute code, steal secrets, or establish remote control.

How Devs Can Protect Themselves
The most effective defenses are procedural as much as technical, because extension ecosystems lean heavily on user trust.

• Vet publishers and provenance before installing. Check publisher names, install counts, and repository links. Brandjacking attacks often rely on near-miss names or new publisher accounts that do not match the legitimate maintainer.
• Limit extension sprawl. Reduce installs to the smallest set needed for work. More extensions means a larger attack surface and more chances for a malicious or later-compromised add-on to slip in.
• Prefer allowlists in enterprise environments. Where possible, centrally manage VS Code extensions and require review before enabling new ones, especially on CI/CD or privileged development workstations.
• Monitor for unusual extension behavior. Watch for installs outside normal workflows, sudden extension changes, or unexpected outbound network activity from the VS Code process.
• Compartmentalize and rotate credentials. Use least-privilege tokens for GitHub, npm, and cloud services, and rotate them regularly. Extension-borne malware frequently seeks these tokens because they lead to broader supply chain compromise.

Do Devs Need To Do Anything Now About "prettier-vscode-plus"?
For most VS Code users, probably not. The malicious extension was removed quickly and reportedly saw only a handful of downloads. Still, developers and security teams should confirm they did not install "prettier-vscode-plus" during the short exposure window. If installed, remove it immediately. After removal, review the machine for signs consistent with Hunt.io's indicators, such as unexpected scheduled tasks named "WindowsUpdate," anomalous PowerShell executions launched by VBS, or suspicious child processes and network traffic under vbc.exe.

If you suspect installation, rotate developer credentials (GitHub, npm, package registry tokens) and review recent activity for unauthorized publishes or commits. The campaign's focus on credential theft means even short-lived infections can have downstream effects.

Bottom Line
The Prettier impersonation joins a steady stream of extension-based attacks. Whether the payload is a RAT, a worm, or a ransomware proof of concept, the marketplaces remain attractive targets because they sit at the center of developer trust. Treat VS Code extensions with the same scrutiny you apply to any dependency in your software supply chain.