ReversingLabs (RL) researchers have identified a sophisticated supply chain campaign involving 19 malicious Visual Studio Code (VS Code) extensions.
The campaign, which has been active since February 2025 and was uncovered on December 2, 2025, leverages the trust inherent in the developer ecosystem by hiding malware within the dependency folders of otherwise functional extensions.
The attackers employed a novel evasion technique: concealing malicious binaries inside a file masquerading as a PNG image.
The research team observed a steady increase in malware published to the VS Code Marketplace throughout 2025.
Unlike previous campaigns that often relied on malicious pull requests, this operation exploits the architectural differences between standard npm package installations and VS Code extensions.
While standard npm installations fetch dependencies from the remote registry at runtime, VS Code extensions come pre-packaged with a node_modules folder containing all necessary dependencies.
Threat actors utilized this pre-packaged structure to tamper with local versions of popular libraries without altering the official packages hosted on npm.
Specifically, the attackers modified the widely used path-is-absolute package which has over 9 billion cumulative downloads within the local extension files.
Because these changes exist only within the bundled extension, the official npm repository remains untouched and safe, while the extension acts as a carrier for the weaponized code.
The “Banner.png” Deception
The technical execution of this attack relies on a multi-stage infection chain embedded within the modified dependency.
The attackers altered the index.js file of the path-is-absolute package to include a new class responsible for initiating the malware.
This class executes code upon VS Code startup, decoding a JavaScript dropper hidden in a file named lock. The dropper is obfuscated via base64 encoding and reversed character strings to evade static analysis.
When the extension runs, the decoded dropper extracts these binaries and executes them using cmstp.exe, a legitimate Windows “Living-of-the-Land” binary (LOLBIN).
One binary emulates key presses to close the LOLBIN window, while the second is a complex Rust-based trojan currently under analysis.
While the majority of the discovered extensions abused path-is-absolute, researchers noted a variation in four extensions that targeted the @actions/io package instead.
In these instances, the threat actors did not use the PNG disguise. Instead, the malicious binaries were split into separate files masquerading as TypeScript (.ts) and sourcemap (.map) files.
The following table outlines the key technical components and indicators associated with this campaign:
| Component | File Type | Function in Attack Chain |
|---|---|---|
| path-is-absolute | npm Package | Legitimate dependency modified locally to host malicious logic. |
| banner.png | Archive | Fake image file containing the Rust trojan and helper binaries. |
| lock | Obfuscated File | Contains the reversed, base64-encoded JavaScript dropper. |
| index.js | Script | Modified entry point that triggers the decoding of the lock file. |
| cmstp.exe | LOLBIN | Legitimate Windows tool abused to execute the extracted payload. |
| @actions/io | npm Package | Alternative target package used to hide malware in .ts and .map files. |
Rising Threat Landscape
A critical component of this campaign is a file named banner.png. While appearing to be a standard image asset for the extension, RL researchers discovered it was an archive containing two malicious binaries.
This incident underscores a broader trend of attackers targeting developer environments.
Data from ReversingLabs indicates that detections of malicious software on the VS Code Marketplace nearly quadrupled, rising from 27 instances in 2024 to 105 in the first ten months of 2025.
Security experts recommend that development teams rigorously audit extensions, particularly those with low install counts or recent publish dates.
Since malware can reside deep within the node_modules hierarchy rather than the main extension code, automated security tooling and deep inspection of packaged dependencies are becoming essential for maintaining a secure development pipeline.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.