Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Microsoft's VS Code marketplace hosted the susvsex malicious extension and delayed removal

Security Tool/Service
First reported
Last updated
Happening score
H score 20
1 unique sources, 1 articles

Summary

Hide ▲

A malicious extension named susvsex appeared in Microsoft's official VS Code marketplace, creating a distribution-channel risk for developers. The extension advertised file theft and AES-256-CBC encryption behavior and could activate when VS Code launched or on installation. The marketplace's failure to promptly remove the listing after reporting increased exposure for users browsing or installing extensions.

Related Happenings

GlassWorm OpenVSX sleeper extension campaign

Campaign
First: 28.04.2026 00:41 Last: 28.04.2026 00:41 Sources 1

About this happening: The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...

Open Happening

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
First: 27.04.2026 14:23 Last: 27.04.2026 14:23 Sources 1

About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...

Open Happening

GlassWorm Zig dropper infecting developer IDEs

Malware Activity
First: 10.04.2026 16:23 Last: 10.04.2026 16:23 Sources 1

About this happening: The **GlassWorm** malware set now uses a **Zig dropper** that can silently infect **all VS Code-based IDEs** on a developer's machine, widening the reach of the compromise. The pa...

Open Happening

Open VSX pre-publish scanning fail-open now patched security flaw

Vulnerability
First: 27.03.2026 15:57 Last: 27.03.2026 15:57 Sources 1

About this happening: A **now-patched fail-open bug** in **Open VSX's pre-publish scanning pipeline** could let **malicious VS Code extensions** bypass vetting and go live in the registry, weakening a...

Open Happening

GlassWorm open-source supply-chain campaign targeting developers

Campaign
First: 14.03.2026 14:55 Last: 14.03.2026 14:55 Sources 1

About this happening: The **GlassWorm** campaign has added a new **Open VSX** wave of **73 cloned VS Code extensions** that impersonate legitimate packages to build trust before delivering malware. **S...

Latest development: 17.03.2026 23:42

GlassWorm renewed its supply-chain campaign against GitHub, npm, and VSCode/OpenVSX, with researchers identifying 433 compromised components this month across 200 GitHub Python repositories, 151 GitHub JS/TS repositories, 72 VSCode/OpenVSX extensions, and 10 npm packages. The operators compromised GitHub accounts to force-push malicious commits, published obfuscated code using invisible Unicode characters, and used Solana blockchain transactions as C2 to deliver a Node.js runtime and a JavaScript-based information stealer that targets cryptocurrency wallet data, credentials, access tokens, SSH keys, and developer environment data.

Open Happening

Timeline

  1. 06.11.2025 23:52 2 articles · 6mo ago

    susvsex malicious extension on Microsoft's VS Code marketplace

    Initial Disclosure

    A malicious extension named susvsex, published by suspublisher18 on Microsoft's official VS Code marketplace, openly advertised file theft to a remote server and AES-256-CBC encryption of all files. Secure Annex researcher John Tuckner found that the extension activates when installed or when VS Code launches, loads hardcoded IP, encryption key, and command-and-control values from extension.js, exfiltrates ZIP archives, encrypts target files, and polls a private GitHub repository for commands. Microsoft had not removed the listing after Tuckner's report.

    Show sources
    Open in new tab