Overview
- ReversingLabs detailed a developer-targeting operation active since February that was identified on December 2 and linked to 19 extensions on the VS Code Marketplace.
- The extensions bundled a modified path-is-absolute or @actions/io package that executed at IDE startup to decode a JavaScript dropper stored in a file named lock.
- A disguised banner.png file actually contained an archive with two binaries launched via the Windows tool cmstp.exe, including a Rust-based trojan still under analysis.
- BleepingComputer confirmed the listed extensions have been removed from the Marketplace, and users who installed them are urged to scan for compromise.
- ReversingLabs reported a sharp rise in malicious VS Code extension detections, from 27 in 2024 to 105 in the first ten months of 2025, and advised pre-install inspections and dependency audits.