VSCode extensions found downloading early-stage ransomware

Two malicious VSCode Marketplace extensions were found deploying in-development ransomware, exposing critical gaps in Microsoft's review process. The extensions, named "ahban.shiba" and "ahban.cychelloworld," were downloaded seven and eight times, respectively, before they were eventually removed from the store. It is notable that the extensions were uploaded onto the VSCode Marketplace on October 27, 2024 (ahban.cychelloworld) and February 17, 2025 (ahban.shiba), bypassing safety review processes and remaining on Microsoft's store for an extensive period of time. The VSCode Marketplace is an online platform where developers can find, install, and share extensions for Visual Studio Code (VSCode). It is widely used by software and web developers, data scientists, and programmers. ReversingLabs discovered that the two extensions contain a PowerShell command that downloads and executes another PS script that acts as ransomware from a remote server. The ransomware is clearly in develo ... Read full article.