Cybersecurity firm ReversingLabs (RL) has detected a sophisticated, long-running campaign targeting developers on the Visual Studio Code (VS Code) Marketplace. In total, 19 malicious extensions were found hiding a Trojan, with the campaign active since February 2025 and discovered on December 2.
For your information, VS Code is a key tool for many developers, making its Marketplace, where extensions (add-on features) are distributed, a prime target for cybercriminals. These findings came just a couple of weeks after a fake “Prettier” extension on the same marketplace was spotted dropping Anivia Stealer.
The Dependency Trick
According to RL Threat Researcher Petar Kirhmajer, the attackers used a classic Trojan technique where malicious software is disguised as something harmless. In this case, the malware was hidden inside an extension’s dependency folder, which is a necessary pre-packaged code an extension needs to run smoothly.
Attackers made a smart move. Instead of adding new code, they tampered with a highly popular, trusted dependency called path-is-absolute, which has gathered over 9 billion downloads since 2021.
By modifying this trusted package before bundling it into their rogue extensions, they added new code. This new code’s only job was to run immediately upon VS Code startup and decode a JavaScript dropper hidden in an internal file named lock. This means that users who blindly trusted the popular name in the dependency list would not find anything concerning.
A Fake PNG File
The final and most deceptive stage involved a file named banner.png. Although the .png extension suggests a standard image file, RL researchers noted that it was merely a disguise. When attempting to open it with a normal photo viewer, it showed an error message.
Further investigation revealed that banner.png was not an image but an archive containing two malicious binaries (the core parts of the malware). The decoded dropper then used the native Windows tool cmstp.exe to launch these binaries. The larger of the two is a complex Trojan, though its exact attack capabilities are still under review.
It is worth noting that several other malicious extensions in the campaign used a different dependency (@actions/io) and did not rely on the fake PNG file, splitting the binaries into separate .ts and .map files instead.
This research, published on December 10, 2025, and shared with Hackread.com, shows a rapid increase in threats. In the first ten months of 2025, malicious VS Code detections almost quadrupled, rising from 27 in 2024 to 105 this year.
Researchers confirmed that every one of the flagged extensions has been reported to Microsoft. Developers are urged to thoroughly inspect extensions, especially those with low downloads or few reviews, before installation.