CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Visual Studio Code Marketplace Extension Name Reuse Vulnerability

First reported
Last updated
πŸ“° 1 unique sources, 1 articles

Summary

Hide β–²

A vulnerability in the Visual Studio Code Marketplace allows threat actors to reuse the names of previously removed extensions. This loophole was discovered after identifying a malicious extension named "ahbanC.shiba" that mimicked previously flagged extensions. The flaw enables attackers to publish malicious extensions under the same names as legitimate or previously removed ones, posing a significant risk to users. The malicious extension acts as a downloader to retrieve a PowerShell payload that encrypts files on the victim's Windows desktop and demands a Shiba Inu token as ransom. This highlights ongoing efforts by threat actors to exploit software supply chain vulnerabilities.

Timeline

  1. 28.08.2025 20:10 πŸ“° 1 articles

    Visual Studio Code Marketplace Vulnerability Allows Extension Name Reuse

    A vulnerability in the Visual Studio Code Marketplace was discovered, allowing threat actors to reuse the names of previously removed extensions. This flaw enables the publication of malicious extensions under the same names as legitimate or previously removed ones. The vulnerability was identified after detecting a malicious extension named "ahbanC.shiba" that mimicked previously flagged extensions. The extension acts as a downloader for a PowerShell payload that encrypts files and demands a Shiba Inu token ransom. This highlights ongoing efforts by threat actors to exploit software supply chain vulnerabilities.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

CVE-2025-5086 in DELMIA Apriso Exploited in the Wild

A critical deserialization vulnerability (CVE-2025-5086) in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software is being actively exploited. The flaw, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. The vulnerability allows for remote code execution, and exploitation attempts have been observed originating from an IP address in Mexico. The attacks involve sending a malicious HTTP request with a Base64-encoded payload. The payload decodes to a Windows executable identified as "Trojan.MSIL.Zapchast.gen," a spyware capable of capturing user activities and sending collected information to attackers. DELMIA Apriso is used in production processes for digitalizing and monitoring, including scheduling production, quality management, resource allocation, warehouse management, and integration between production equipment and business applications. The flaw impacts critical industries such as automotive, aerospace, electronics, high-tech, and industrial machinery. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog and is advising federal agencies to apply necessary updates by October 2, 2025.

Open in new tab

TamperedChef Malware Campaign Targets Users via Malvertising

A cybercrime campaign has been identified, using malvertising to deliver a new information stealer called TamperedChef. The malware is disguised as a free PDF editor, AppSuite PDF Editor, and is distributed through fraudulent websites promoted via Google ads. Once installed, TamperedChef steals sensitive data, including credentials and web cookies. The campaign began on June 26, 2025, with malicious capabilities activated on August 21, 2025. The malware operates as a backdoor, supporting various features for data exfiltration and system manipulation. The campaign leverages multiple bogus sites and Google advertising campaigns to distribute the trojanized PDF editor. The malware sets up persistence on the host system and communicates with a command-and-control (C2) server to execute various malicious actions. The campaign's timeline suggests a strategic approach to maximize downloads before activating malicious features. The campaign is part of a larger operation involving multiple apps that can download each other, some of them tricking users into enrolling their system into residential proxies. More than 50 domains have been identified to host deceiving apps signed with fraudulent certificates issued by at least four different companies. The threat actor used at least 5 different Google campaign IDs, suggesting a widespread campaign.

Open in new tab

Malicious PyPI and npm Packages Exploit Dependencies in Supply Chain Attacks

Cybersecurity researchers have identified malicious packages in the Python Package Index (PyPI) and npm repositories that exploit dependencies to execute supply chain attacks. The PyPI package termncolor, with 355 downloads, and its dependency colorinal, with 529 downloads, were found to perform DLL side-loading to achieve persistence and remote code execution. The malware can infect both Windows and Linux systems. Additionally, npm packages were discovered to harvest sensitive data, including iCloud Keychain, web browser, and cryptocurrency wallet information. The attacks highlight the risks associated with automated dependency upgrades and the importance of monitoring open-source ecosystems for potential threats. In a recent supply chain attack, attackers injected malware into npm packages with over 2.6 billion weekly downloads after compromising a maintainer's account in a phishing attack. The attack impacted roughly 10% of all cloud environments. The malware operates by injecting itself into the web browser, monitoring cryptocurrency transactions, and redirecting them to attacker-controlled wallet addresses. The compromised packages include debug, chalk, and ansi-styles, among others. The impact of the attack is limited to fresh installs between ~9 AM and ~11.30 AM ET on September 8, 2025, when the packages were compromised. This attack follows a series of similar incidents targeting JavaScript libraries, highlighting the ongoing threat to the open-source ecosystem.

Open in new tab