Summary: Two malicious extensions on the VSCode Marketplace were discovered deploying in-development ransomware, highlighting significant flaws in Microsoft’s review process. The extensions, which were available for download for months before being removed, executed a PowerShell script that encrypted files in a specific folder and demanded a cryptocurrency ransom. The incident underscores the need for improved security measures to prevent malicious uploads on the platform.
Affected: Microsoft VSCode Marketplace
Keypoints :
- Malicious extensions “ahban.shiba” and “ahban.cychelloworld” were found to deploy ransomware.
- The extensions bypassed Microsoft’s review process and had been live for months before detection.
- ReversingLabs reported the issue; however, Microsoft did not promptly respond to earlier alerts by security researchers regarding suspicious behavior.