A campaign involving 19 Visual Studio (VS) Code extensions that embed malware inside their dependency folders has been uncovered by cybersecurity researchers.
Active since February 2025 but identified on December 2, the operation used a legitimate npm package to disguise harmful files and bundled malicious binaries inside an archive masquerading as a PNG image.
This approach, observed by ReversingLabs (RL), enabled attackers to bypass conventional checks and target developers directly.
Evolving Phishing Tactics
A new wave of malicious VS Code extensions has been circulating throughout 2025, with ReversingLabs noting a steady rise in suspicious uploads to the VS Code Marketplace.
Some extensions imitate popular tools, while others advertise new features but secretly execute unwanted code. Even trusted extensions can be compromised: in July, a malicious pull request contaminated a legitimate project simply by adding a harmful dependency.
In this new campaign, attackers embedded a modified version of the npm package path-is-absolute inside the extensions’ node_modules folders.
The original package is widely used, with more than 9 billion downloads since 2021, but the altered version included a class designed to trigger malware when VS Code starts. Its purpose was to decode a JavaScript dropper stored in a file named “lock.”
The attackers also included a file named banner.png, which appeared harmless but opened as an archive containing two binaries.
The dropper launched these files via cmstp.exe, a common living-off-the-land binary (LOLBIN). One executable closed the process by simulating a keypress, while the other was a Rust-based Trojan still being analyzed at the time of this report.
A Growing Threat to Developers
ReversingLabs said while most malicious extensions relied on the modified path-is-absolute dependency, four others instead weaponized the npm package @actions/io, storing the payload across TypeScript and map files rather than using the disguised PNG.
Although the techniques differed, the goal remained the same: covertly execute malware through trusted components.
Detecting malicious VS Code extensions has become increasingly urgent, ReversingLabs warned. The firm said detections grew from 27 in 2024 to 105 in the first 10 months of 2025.
To reduce risk, teams are encouraged to:
-
Inspect extensions before installation
-
Audit all bundled dependencies
-
Use security tools capable of evaluating package behavior
“Staying safe isn’t about avoiding extensions altogether – it is about recognizing that even trusted components can be tampered with,” ReversingLabs said.
“All the mentioned extensions have been reported to Microsoft.”