Find notable cyber news and cases, enriched with sources, timelines, and signals.

VS Code Marketplace malicious extension campaign using disguised dependency payloads

Campaign
First reported
Last updated
Happening score
H score 38
1 unique sources, 1 articles

Summary

Hide ▲

A malicious VS Code extension campaign has spread through 19 extensions, creating supply-chain risk for developers using the marketplace. The operation has been active since February 2025 and relies on disguised payloads embedded in dependency folders. It matters because trusted extensions were used to covertly execute malware through a legitimate distribution channel.

Related Happenings

StegoAd malicious Edge extension operation

Malware Activity
H score19 First: 29.06.2026 11:32 Last: 29.06.2026 11:32 Sources 1

About this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...

Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw

Vulnerability
H score33 First: 22.06.2026 20:28 Last: 22.06.2026 20:28 Sources 1

About this happening: Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.

Npm typosquatting campaign distributing WinOS 4.0 implant

Campaign
H score20 First: 09.05.2026 17:26 Last: 09.05.2026 17:26 Sources 1

About this happening: A **npm typosquatting campaign** distributing the **WinOS 4.0 implant** overlapped with malicious repository activity, indicating a broader coordinated distribution effort beyond...

Famous Chollima PromptMink supply-chain campaign targeting Web3 developers

Campaign
H score44 First: 29.04.2026 17:43 Last: 29.04.2026 17:43 Sources 1

About this happening: The **PromptMink** campaign is widening **Famous Chollima**'s supply-chain intrusion playbook by pushing **tainted npm packages** into developer environments and stealing secrets....

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
H score30 First: 27.04.2026 14:23 Last: 27.04.2026 14:23 Sources 1

About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...

Timeline

  1. 11.12.2025 18:00 2 articles · 7mo ago

    ReversingLabs discloses 19-extension campaign

    Initial Disclosure

    ReversingLabs disclosed a campaign affecting 19 Visual Studio Code extensions that hid malware inside dependency folders, including a modified path-is-absolute npm package, a fake banner.png archive, and payload launch through cmstp.exe; four other extensions instead abused @actions/io, and the affected extensions were reported to Microsoft. The operation had been active since February 2025 and was identified on December 2, 2025.

    Show sources