top of page
Search

"Vibe-Coded Malicious VS Code Extension Discovered with Embedded Cryptocurrency Mining Functionality"

  • Nov 7, 2025
  • 2 min read

Background


  • Cybersecurity researchers have flagged a malicious Visual Studio Code (VS Code) extension with basic ransomware capabilities.

  • The extension, named "susvsex," was uploaded on November 5, 2025, by a user named "suspublisher18."

  • The extension was designed to automatically activate itself on any event, including installing or when launching VS Code, and invoke a function named "zipUploadAndEncrypt."


Extension Functionality


  • The "zipUploadAndEncrypt" function creates a ZIP archive of a target directory, exfiltrates it to a remote server, and replaces the files with their encrypted versions.

  • The TARGET_DIRECTORY is configured to be a test staging directory, but it can be easily updated with an extension release or a command sent through the C2 channel.

  • The extension also uses GitHub as a command-and-control (C2) by polling a private GitHub repository for any new commands to be executed.

  • The results of the command execution are written back to the same repository in the "requirements.txt" file using a GitHub access token embedded in the code.


Indicators of "Vibe-Coded" Malware


  • Extraneous comments detailing functionality, README files with execution instructions, and placeholder variables are clear signs of "vibe-coded" malware.

  • The extension package accidentally included decryption tools, command and control server code, and GitHub access keys to the C2 server, which other people could use to take over the C2.


Related Malicious npm Packages


  • Datadog Security Labs has uncovered 17 npm packages that masquerade as benign software development kits (SDKs) and provide the advertised functionality, but are engineered to stealthily execute Vidar Stealer on infected systems.

  • The cybersecurity company is tracking the cluster under the name MUT-4831, and some of the packages were first flagged on October 21, 2025, with subsequent uploads recorded the next day and on October 26.

  • The attack chain involves downloading a ZIP archive from an external server ("bullethost[.]cloud domain") and executing the Vidar executable contained within the ZIP file.

  • The Vidar 2.0 samples have been found to use hard-coded Telegram and Steam accounts as dead drop resolvers to fetch the actual C2 server.


Sources


  • https://thehackernews.com/2025/11/vibe-coded-malicious-vs-code-extension.html

  • https://www.itsecuritynews.info/vibe-coded-malicious-vs-code-extension-found-with-built-in-ransomware-capabilities/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page