"Secure Annex researcher John Tuckner, who flagged the extension " susvsex," said it does not attempt to hide its malicious functionality. The extension was uploaded on November 5, 2025, by a user named "suspublisher18" along with the description "Just testing" and the email address "donotsupport@example[.]com." "Automatically zips, uploads, and encrypts files from C:\Users\Public\testing (Windows) or /tmp/testing (macOS) on first launch," reads the description of the extension. As of November 6, Microsoft has stepped in to remove it from the official VS Code Extension Marketplace."
"According to details shared by "suspublisher18," the extension is designed to automatically activate itself on any event, including installing or when launching VS Code, and invoke a function named "zipUploadAndEncrypt," which creates a ZIP archive of a target directory, exfiltrates it to a remote server, and replaces the files with their encrypted versions. "Fortunately, the TARGET_DIRECTORY is configured to be a test staging directory so it would have little impact right now,"
"Besides encryption, the malicious extension also uses GitHub as command-and-control (C2) by polling a private GitHub repository for any new commands to be executed by parsing the "index.html" file. The results of the command execution are written back to the same repository in the "requirements.txt" file using a GitHub access token embedded in the code. The GitHub account associated with the repository - aykhanmv - continues to be active, with the developer claiming to be from"
The extension susvsex was uploaded on November 5, 2025 by user suspublisher18 with the description "Just testing" and email donotsupport@example[.]com. On first launch it automatically zips, uploads, and encrypts files from C:\Users\Public\testing (Windows) or /tmp/testing (macOS). The extension is configured to activate on any event, including installation or VS Code launch, and calls zipUploadAndEncrypt to create a ZIP archive, exfiltrate it to a remote server, and replace files with encrypted versions. TARGET_DIRECTORY currently targets a test staging folder but can be changed via updates or C2 commands. The extension polls a private GitHub repository for commands in index.html and writes execution results to requirements.txt using an embedded GitHub access token. Microsoft removed the extension from the VS Code Marketplace on November 6.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]