VS Code Marketplace Extension Name Reuse Vulnerability
Summary
Hide ▲
Show ▼
A security flaw in the Visual Studio Code Marketplace allows attackers to republish deleted extensions under the same name. The vulnerability was identified after a malicious extension named 'ahbanC.shiba' was found to mimic previously removed extensions. The flaw enables threat actors to reuse names of previously removed extensions, potentially leading to supply chain attacks. The issue arises because, although each extension must have a unique ID, the name field can be reused if an extension is deleted. This behavior does not apply if an extension is merely unpublished. The same vulnerability exists in the Python Package Index (PyPI) repository, where deleted package names can be reused if the distribution file names differ. This flaw poses a significant risk, as popular extensions could be impersonated by malicious actors.
Timeline
-
28.08.2025 20:10 1 articles · 1mo ago
VS Code Marketplace Extension Name Reuse Vulnerability Discovered
A vulnerability in the Visual Studio Code Marketplace allows attackers to republish deleted extensions under the same name. The flaw was identified after a malicious extension named 'ahbanC.shiba' was found to mimic previously removed extensions. The issue arises because the name field can be reused if an extension is deleted, but not if it is unpublished. This behavior also affects the Python Package Index (PyPI) repository.
Show sources
- Researchers Find VS Code Flaw Allowing Attackers to Republish Deleted Extensions Under Same Names — thehackernews.com — 28.08.2025 20:10
Information Snippets
-
The malicious extension 'ahbanC.shiba' mimics previously flagged extensions 'ahban.shiba' and 'ahban.cychelloworld'.
First reported: 28.08.2025 20:101 source, 1 articleShow sources
- Researchers Find VS Code Flaw Allowing Attackers to Republish Deleted Extensions Under Same Names — thehackernews.com — 28.08.2025 20:10
-
The extensions act as downloaders to retrieve a PowerShell payload that encrypts files and demands Shiba Inu tokens.
First reported: 28.08.2025 20:101 source, 1 articleShow sources
- Researchers Find VS Code Flaw Allowing Attackers to Republish Deleted Extensions Under Same Names — thehackernews.com — 28.08.2025 20:10
-
The vulnerability allows the reuse of extension names after deletion, but not after unpublishing.
First reported: 28.08.2025 20:101 source, 1 articleShow sources
- Researchers Find VS Code Flaw Allowing Attackers to Republish Deleted Extensions Under Same Names — thehackernews.com — 28.08.2025 20:10
-
The same issue affects the Python Package Index (PyPI) repository.
First reported: 28.08.2025 20:101 source, 1 articleShow sources
- Researchers Find VS Code Flaw Allowing Attackers to Republish Deleted Extensions Under Same Names — thehackernews.com — 28.08.2025 20:10
-
The flaw enables threat actors to impersonate popular extensions, increasing the risk of supply chain attacks.
First reported: 28.08.2025 20:101 source, 1 articleShow sources
- Researchers Find VS Code Flaw Allowing Attackers to Republish Deleted Extensions Under Same Names — thehackernews.com — 28.08.2025 20:10
-
Eight malicious npm packages were identified, delivering a Google Chrome information stealer.
First reported: 28.08.2025 20:101 source, 1 articleShow sources
- Researchers Find VS Code Flaw Allowing Attackers to Republish Deleted Extensions Under Same Names — thehackernews.com — 28.08.2025 20:10
-
The malicious npm packages use 70 layers of obfuscated code to unpack a Python payload for data theft.
First reported: 28.08.2025 20:101 source, 1 articleShow sources
- Researchers Find VS Code Flaw Allowing Attackers to Republish Deleted Extensions Under Same Names — thehackernews.com — 28.08.2025 20:10