Find notable cyber news and cases, enriched with sources, timelines, and signals.

Microsoft's VS Code marketplace hosted the susvsex malicious extension and delayed removal

Security Tool/Service
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

A malicious extension named susvsex appeared in Microsoft's official VS Code marketplace, creating a distribution-channel risk for developers. The extension advertised file theft and AES-256-CBC encryption behavior and could activate when VS Code launched or on installation. The marketplace's failure to promptly remove the listing after reporting increased exposure for users browsing or installing extensions.

Related Happenings

StegoAd malicious Edge extension operation

Malware Activity
H score19 First: 29.06.2026 11:32 Last: 29.06.2026 11:32 Sources 1

About this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...

Visual Studio Code adds two-hour delay for automatic extension updates

Security Tool/Service
H score10 First: 08.06.2026 09:08 Last: 08.06.2026 09:08 Sources 1

About this happening: **Visual Studio Code (VS Code)** will delay automatic extension updates by **two hours** starting in **VS Code 1.123**, reducing exposure to **problematic or potentially compromis...

GlassWorm OpenVSX sleeper extension campaign

Campaign
H score45 First: 28.04.2026 00:41 Last: 28.04.2026 00:41 Sources 1

About this happening: The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
H score30 First: 27.04.2026 14:23 Last: 27.04.2026 14:23 Sources 1

About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...

GlassWorm Zig dropper infecting developer IDEs

Malware Activity
H score29 First: 10.04.2026 16:23 Last: 10.04.2026 16:23 Sources 1

About this happening: The **GlassWorm** malware set now uses a **Zig dropper** that can silently infect **all VS Code-based IDEs** on a developer's machine, widening the reach of the compromise. The pa...

Timeline

  1. 06.11.2025 23:52 2 articles · 8mo ago

    susvsex malicious extension on Microsoft's VS Code marketplace

    Initial Disclosure

    A malicious extension named susvsex, published by suspublisher18 on Microsoft's official VS Code marketplace, openly advertised file theft to a remote server and AES-256-CBC encryption of all files. Secure Annex researcher John Tuckner found that the extension activates when installed or when VS Code launches, loads hardcoded IP, encryption key, and command-and-control values from extension.js, exfiltrates ZIP archives, encrypts target files, and polls a private GitHub repository for commands. Microsoft had not removed the listing after Tuckner's report.

    Show sources