Malicious VSCode extensions distributed developing ransomware

Two harmful extensions have been found on the VSCode Marketplace that could download a form of ransomware still under development. Named "ahban.shiba" and "ahban.cychelloworld," these extensions were downloaded only a few times before being taken down. The extensions appeared on the marketplace on October 27, 2024, and February 17, 2025. They passed Microsoft’s safety checks but posed a clear security risk during that time. Developers widely use the VSCode Marketplace for different types of software tools. ReversingLabs found that these extensions could run a PowerShell command. This command would download and execute a ransomware script from a remote server. The ransomware affected only a specific folder on the user's computer and displayed a message demanding payment in ShibaCoin to recover the files. Unlike typical ransomware, it did not provide detailed instructions for payment. After being alerted by researchers, Microsoft quickly removed the extensions. However, a security researcher, Italy Kruk, revealed that their scanner had reported the extensions to Microsoft earlier, but there was no immediate response. Kruk noted that the ahban.cychelloworld extension was initially safe, but it introduced malicious code in a later version that was accepted on the platform. This situation highlights significant weaknesses in Microsoft's review process for marketplace extensions. Microsoft has made other mistakes as well, such as quickly removing popular themes due to security concerns that turned out to be unfounded. The company has stated it will improve its scanning methods to prevent such issues in the future.