Security researchers have uncovered a significant threat targeting developers through the VS Code Marketplace. A coordinated campaign involving 19 malicious extensions has been actively infiltrating the platform, with the attack remaining undetected since February 2025.
These deceptive extensions carry hidden malware in their dependency folders, designed to evade security detection and compromise developer machines.
The campaign showcases how attackers have shifted their approach to target the software supply chain. Rather than deploying obvious threats, the threat actors created extensions that either impersonate legitimate packages or claim to offer genuine features.
Once installed, these extensions activate malicious code silently in the background. What makes this campaign particularly sophisticated is the method of concealment—the attackers embedded executable files within what appeared to be harmless image files, specifically PNG files.
This approach creates an additional layer of deception, as developers would not suspect a graphic file of containing executable code.
.webp "Hackers Infiltrate VS Code Marketplace with 19 Malicious Extensions Posing as PNG File 2")
The threat emerges from a worrying trend. In the first ten months of 2025 alone, malware detections on VS Code almost quadrupled compared to 2024, rising from 27 to 105 instances.
This sharp increase indicates that the VS Code Marketplace has become an increasingly attractive target for malicious actors seeking to reach developer communities.
ReversingLabs security analysts identified that the malware exploits the way VS Code extensions are structured.
Extensions come pre-packaged with all their dependencies in a node_modules folder, allowing them to run without needing to download additional components.
The researchers discovered that the attackers weaponized the popular “path-is-absolute” npm package, which has accumulated over 9 billion downloads since 2021.
By adding malicious code to this dependency within their extensions, they turned a trusted component into a delivery mechanism for the trojan.
Technical Infection Mechanism
The infection process begins when VS Code starts up. The modified package’s index.js file contains a new class that automatically triggers upon launch.
.png "Hackers Infiltrate VS Code Marketplace with 19 Malicious Extensions Posing as PNG File 4")
This class decodes a JavaScript dropper concealed inside the malicious banner.png file. The dropper itself was hidden through base64 encoding and string reversal, making manual analysis difficult.
When executed, this dropper deploys two malicious binaries using cmstp.exe, a legitimate Windows tool that attackers abuse.
.png "Hackers Infiltrate VS Code Marketplace with 19 Malicious Extensions Posing as PNG File 5")
One binary manages the attack process, while the other is a more sophisticated Rust-based trojan whose full capabilities were still under investigation at the time of discovery.
Four extensions in the campaign used alternative methods, splitting the binaries into separate .ts and .map files rather than concealing them in PNG archives.
Development teams should immediately audit their installed extensions, verify their sources, and employ security scanning tools before installation to prevent compromise.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
