A recently discovered malicious Visual Studio Code (VSCode) extension masquerading as the well-known “Prettier” formatter briefly infiltrated the official VSCode Marketplace, delivering a variant of the Anivia Stealer malware in a targeted attack to steal sensitive login credentials and private data from developers’ systems.
Thanks to the vigilance of the Checkmarx Zero research team specifically Daniel Miranda and Raphael Silva and close collaboration with the VSCode Marketplace security team, the compromised extension was identified, reported, and removed from the marketplace within just four hours of its appearance.
Before removal, telemetry indicated only six downloads and three installations, minimizing its reach and impact.
The malicious extension appears to be a direct fork of the legitimate Prettier extension (esbenp.prettier-vscode), with only minor tweaks mainly to inject the attacker’s multi-stage payload system.
By closely mimicking the branding, description, and style of the trusted Prettier tool, the attacker sought to deceive developers into inadvertently installing malicious software under the guise of a popular productivity tool.
Multi-Stage and Evasive Attack Tactics
Analysis of the malicious “prettier-vscode-plus” extension revealed a sophisticated, multi-stage infection process engineered to elude standard security scanners:
- Payload Acquisition: The extension retrieves an encrypted, base64-encoded payload from a remote GitHub repository.
- Temporary Launchpad: It writes a VBScript (VBS) to the system’s %TEMP% directory, executes it, and immediately deletes the file, reducing forensic traces.
- In-Memory Execution: The VBS script triggers PowerShell commands which decrypt the payload using a static AES key (AniviaCryptKey2024!32ByteKey!HXX), never writing the final malware binary to disk. The decrypted binary is loaded and executed directly in memory via the [Reflection.Assembly]::Load method, calling the Anivia.AniviaCRT entry point common to Anivia Stealer strains.
- Anti-Sandbox Evasion: The attack incorporates basic anti-analysis checks, such as detecting low CPU count or minimal RAM, to evade sandboxed test environments.
This stealthy deployment method ensures very little disk evidence remains, with only fleeting temporary files facilitating the attack.
Anivia Stealer: Exfiltrating Sensitive Data
Once executed, the malware exfiltrates not only login credentials but also system metadata and private information such as WhatsApp chats. This underscores the intent to loot both professional and personal data from compromised systems.
This incident highlights persistent threats posed by malicious software supply chain attacks even on official marketplaces. To better protect against similar campaigns:
- Verify Before Installing: Only download extensions from trusted sources, and scrutinize even familiar names for suspicious publisher details or recent unusual updates.
- Deploy Endpoint Protection: Ensure EDR solutions are in place to detect and block behaviors indicative of in-memory payload delivery and stealer activity.
- Restrict External Extensions: Consider policies restricting the installation of extensions not originating directly from the VSCode Marketplace, especially in enterprise environments.
Checkmarx Zero continues actively monitoring the VSCode Marketplace, analyzing suspicious extensions, and reporting new threats.
Marketplace security teams at Microsoft remain highly responsive, facilitating swift takedowns and reducing exposure windows.
Nevertheless, ongoing vigilance is essential as attackers may shift to distributing such threats via other channels outside the official marketplace.
By combining proactive research with timely reporting and community education, incidents like this can be contained rapidly ensuring developer ecosystems remain safe from emergent malware threats.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.