In late November 2025, a sophisticated supply-chain attack leveraging the Visual Studio Code extension ecosystem came to light, demonstrating how threat actors are increasingly targeting developer tools to gain persistent access to high-value systems.
On November 21, a malicious extension masquerading as the popular Prettier code formatter appeared briefly on the official VSCode Marketplace before being removed within four hours.
Despite its short lifespan, the extension compromised at least three systems before security researchers traced the operation back to a GitHub repository containing a multi-stage malware chain.
The attack represents a deliberate exploitation of developer trust. The fake “prettier-vscode-plus” extension, published under the account “publishingsofficial,” was designed to look indistinguishable from the legitimate Prettier tool trusted by millions of developers worldwide.
Once installed, it initiated a carefully orchestrated infection sequence delivering the Anivia loader, which subsequently deployed OctoRAT a fully featured remote access toolkit containing over 70 command modules for complete system compromise.
The threat actor responsible for the operation used a GitHub repository deliberately named “vscode” to host obfuscated VBScript payloads and deployment materials.
This naming choice was strategic; a repository called “vscode” blends seamlessly into legitimate developer workflows and is unlikely to trigger suspicion in network logs or automated security alerts.
Analysis of the repository’s commit history reveals active operations spanning November 20-27, during which the threat actor employed payload rotation techniques to evade signature-based detection.
Files were uploaded and deleted in rapid succession, a clear indicator of operational security awareness and ongoing campaign refinement.
Multi-Stage Infection Chain
The infection chain unfolds in three distinct stages. The initial vector uses a VBScript dropper that extracts and executes a PowerShell payload containing Base64-encoded, AES-encrypted malware.
The script creates a temporary file, executes the decrypted payload with security bypass flags, and performs self-deletion to remove forensic evidence all within seconds.
The dropper initializes two Windows COM objects for file operations and command execution, allowing execution to proceed silently without alerting the victim.
The Anivia loader, the second stage, is a C# executable containing a hardcoded 228,384-byte encrypted payload.
Using the AES-256 key “AniviaCryptKey2024!32ByteKey!!XX,” the loader decrypts the embedded binary entirely in memory before employing process hollowing to inject the final payload into the legitimate vbc.exe (Visual Basic Compiler) binary.
This technique allows the malware to hide within a trusted Microsoft-signed process, evading reputation-based and allowing security controls.
OctoRAT, the third stage, initializes immediately upon injection. The malware establishes persistence through Windows Task Scheduler under the name “WindowsUpdate,” scheduled to execute every minute an aggressive strategy ensuring rapid recovery if processes are terminated.
Before establishing command-and-control communications, OctoRAT immediately harvests browser credentials from Chrome, Firefox, and Edge, exfiltrating passwords, autofill data, cookies, and browsing history to the attacker’s server.
Operational Scope and Discovery
Internet-wide scanning identified at least seven active OctoRAT control panels, all hosting the distinctive “OctoRAT Center – Login” interface that facilitates management of compromised systems.
![OctoRAT Center login panel discovered at 51.178.245[.]127:8000.](https://public-hunt-static-blog-assets.s3.us-east-1.amazonaws.com/12-2025/Malicious+VSCode+Extension+Launches+Multi-Stage+Attack+Chain+with+Anivia+Loader+and+OctoRAT+-+figure+11.png "Malicious VSCode Extension Deploys Anivia Loader and OctoRAT 4")
Infrastructure analysis revealed connections to Railnet LLC hosting in multiple countries, with threat actors reusing identical TLS certificates across dozens of servers.
This infrastructure clustering, discovered through certificate pivoting, suggests either a well-organized criminal operation or a malware-as-a-service offering sold to multiple threat actors.
The implications are significant: OctoRAT’s comprehensive command set spanning remote desktop control, cryptocurrency wallet theft, WiFi credential extraction, Windows Firewall disablement, and user account control bypass indicates a toolkit designed for financially motivated attackers with technical sophistication.
The presence of “harassment functions” like screen rotation, input blocking, and taskbar hiding suggests secondary market sales to less-skilled operators seeking intimidation capabilities.
Attack through several indicators: suspicious VSCode extension installations outside everyday workflows, VBS-to-PowerShell execution chains with Base64 and AES patterns, unusual vbc.exe process activity with network connections, and outbound traffic to identified OctoRAT infrastructure on ports 8000 and 7777.
Developers should implement strict extension management policies and verify extension publishers through official channels.
This campaign underscores the evolving threat landscape targeting developer ecosystems. The combination of supply-chain compromise, sophisticated malware engineering, and broad command-and-control capabilities reflects a mature threat actor or well-functioning criminal service.
Organizations with developer populations require elevated vigilance and enhanced endpoint detection capabilities.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.