Susvsex malicious ransomware extension
Malware Activity
Summary
Hide ▲
Show ▼
A malicious VS Code extension, susvsex, was published to Microsoft's official marketplace, creating a direct path for file theft and AES-256-CBC encryption in developer environments. The extension activates on install or launch, then exfiltrates archives to a hardcoded C2 and encrypts the target files. It also polls a private GitHub repository for commands, showing a basic but operational malware workflow. The finding matters because a readily installed extension can deliver ransomware-like behavior through a trusted software channel.
Related Happenings
Mouse5212-super-formatter postinstall GitHub exfiltration package
Malware Activity
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...
Mouse5212-super-formatter postinstall GitHub exfiltration package
Malware ActivityAbout this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...
GlassWorm v2 cloned VS Code extension loaders
Malware Activity
First: 27.04.2026 14:23
Last: 27.04.2026 14:23
Sources 1
About this happening:
The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...
GlassWorm v2 cloned VS Code extension loaders
Malware ActivityAbout this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...
GlassWorm Zig dropper infecting developer IDEs
Malware Activity
First: 10.04.2026 16:23
Last: 10.04.2026 16:23
Sources 1
About this happening:
The **GlassWorm** malware set now uses a **Zig dropper** that can silently infect **all VS Code-based IDEs** on a developer's machine, widening the reach of the compromise. The pa...
GlassWorm Zig dropper infecting developer IDEs
Malware ActivityAbout this happening: The **GlassWorm** malware set now uses a **Zig dropper** that can silently infect **all VS Code-based IDEs** on a developer's machine, widening the reach of the compromise. The pa...
GlassWorm open-source supply-chain campaign targeting developers
Campaign
First: 14.03.2026 14:55
Last: 14.03.2026 14:55
Sources 1
About this happening:
The **GlassWorm** campaign has added a new **Open VSX** wave of **73 cloned VS Code extensions** that impersonate legitimate packages to build trust before delivering malware. **S...
GlassWorm open-source supply-chain campaign targeting developers
CampaignAbout this happening: The **GlassWorm** campaign has added a new **Open VSX** wave of **73 cloned VS Code extensions** that impersonate legitimate packages to build trust before delivering malware. **S...
Latest development: 17.03.2026 23:42
GlassWorm renewed its supply-chain campaign against GitHub, npm, and VSCode/OpenVSX, with researchers identifying 433 compromised components this month across 200 GitHub Python repositories, 151 GitHub JS/TS repositories, 72 VSCode/OpenVSX extensions, and 10 npm packages. The operators compromised GitHub accounts to force-push malicious commits, published obfuscated code using invisible Unicode characters, and used Solana blockchain transactions as C2 to deliver a Node.js runtime and a JavaScript-based information stealer that targets cryptocurrency wallet data, credentials, access tokens, SSH keys, and developer environment data.
Steaelite Windows RAT with FUD and multi-function capabilities
Malware Activity
First: 27.02.2026 12:06
Last: 27.02.2026 12:06
Sources 1
About this happening:
The **Steaelite** Windows RAT is being marketed as a **fully undetectable** tool for **Windows 10 and 11**, giving operators browser-based control over infected machines and enabl...
Steaelite Windows RAT with FUD and multi-function capabilities
Malware ActivityAbout this happening: The **Steaelite** Windows RAT is being marketed as a **fully undetectable** tool for **Windows 10 and 11**, giving operators browser-based control over infected machines and enabl...
Timeline
-
06.11.2025 23:52 2 articles · 6mo ago
susvsex malicious VS Code extension discovered on Microsoft marketplace
Initial DisclosureSecure Annex researcher John Tuckner discovered susvsex, a malicious extension published by suspublisher18 on Microsoft's official VS Code marketplace, and documented that its description openly advertised file theft to a remote server and encryption of all files with AES-256-CBC. The extension activates on installation or when VS Code launches through extension.js, creates ZIP archives for exfiltration to a hardcoded command-and-control address, encrypts files, and polls a private GitHub repository via index.html and a PAT token for commands; Microsoft did not remove the extension after the report.
Show sources
- AI-Slop ransomware test sneaks on to VS Code marketplace — www.bleepingcomputer.com — 06.11.2025 23:52
- Vibe-Coded Malicious VS Code Extension Found with Built-In Ransomware Capabilities — thehackernews.com — 07.11.2025 08:48