How Malicious VSCode Extensions Sneak Trojans Past Developers: The Anatomy of a Supply Chain Attack

A seemingly harmless VSCode theme extension can sometimes be a wolf in sheep’s clothing. In December 2025, security researchers uncovered a campaign where attackers bundled trojans inside fake PNG files within Visual Studio Code Marketplace extensions, exploiting the trust developers place in their tools. By embedding malicious dependencies directly into extension packages—rather than fetching them from npm—attackers sidestepped standard integrity checks and delivered weaponized versions of popular packages like path-is-absolute and @actions/io (BleepingComputer, 2025).

What made this campaign particularly insidious was its use of obfuscation: a dropper hidden in a file named lock and a disguised archive masquerading as banner.png (which actually contained a living-off-the-land binary and a custom Rust-based trojan). These tactics allowed the malware to blend in, evading both automated and manual reviews on the VSCode Marketplace. The attackers’ strategy highlights the evolving sophistication of supply chain attacks and the urgent need for vigilance among developers and organizations (ReversingLabs, 2025).

How Malicious VSCode Extensions Sneak Trojans Past Developers: The Anatomy of a Supply Chain Attack

Threat Actor Tactics: Bundling Malicious Dependencies

Threat actors targeting the Visual Studio Code (VSCode) Marketplace have adopted sophisticated tactics to bypass traditional security checks. One of the primary methods involves pre-packaging extensions with malicious dependencies inside the extension bundle itself, rather than relying on the npm registry to fetch dependencies during installation. This approach is significant because it allows attackers to introduce compromised versions of widely trusted packages without raising immediate suspicion.

For example, in the campaign uncovered in December 2025, attackers included a node_modules directory within each malicious extension. This directory contained a tampered version of popular npm packages such as path-is-absolute and @actions/io. The altered dependencies were not fetched from the official npm registry but were instead delivered directly as part of the extension. This technique effectively bypassed the standard npm integrity checks and allowed the attacker to inject custom, malicious code into the extension’s runtime environment (BleepingComputer, 2025).

The scale of this tactic is underscored by the fact that path-is-absolute alone has been downloaded over 9 billion times since 2021, making it a highly trusted component in the JavaScript ecosystem. By weaponizing only the copies bundled within the 19 malicious extensions, attackers ensured that their modifications would not be detected by users or automated tools that check the public npm registry for tampering.

Obfuscation and Execution: Concealing Malicious Payloads

A critical element in the success of these attacks is the use of obfuscation and covert execution strategies. The attackers embedded a new class within the index.js file of the compromised dependencies. This class was designed to execute automatically whenever the VSCode IDE started, ensuring the malicious payload would run without requiring any user interaction.

The malicious code in index.js was responsible for decoding an obfuscated JavaScript dropper hidden in a file named lock. This dropper, once decoded, initiated the next stage of the attack chain. By embedding the dropper in an innocuously named file and using code obfuscation techniques, the attackers made detection by static analysis tools and manual inspection significantly more challenging.

Additionally, the attackers disguised an archive containing two malicious binaries as a .PNG file, named banner.png. This file did not contain an actual image but instead hosted a living-off-the-land binary (LoLBin) called cmstp.exe and a custom Rust-based trojan. LoLBins are legitimate system binaries that can be abused for malicious purposes, further complicating detection efforts (ReversingLabs, 2025).

The use of file masquerading—presenting an executable archive as an image file—demonstrates a nuanced understanding of how developers and security tools typically inspect extension contents. By hiding malicious binaries in plain sight, attackers exploited the assumption that image files are benign, thereby increasing the likelihood of successful compromise.

Evasion of Marketplace and User-Level Detection

The attackers’ methodology was specifically crafted to evade both automated and manual reviews on the VSCode Marketplace. By leveraging legitimate package names and mimicking standard extension structures, the malicious extensions appeared indistinguishable from authentic offerings at a superficial glance.

Furthermore, the extensions were published with generic but plausible names such as “Malkolm Theme,” “PandaExpress Theme,” “Prada 555 Theme,” and “Priskinski Theme,” all using the version number 1.0.0. The uniformity and simplicity of these names reduced the likelihood of drawing attention during routine marketplace moderation or by end users browsing for new themes.

A key aspect of this evasion strategy was the attackers’ decision to bundle all dependencies locally. This prevented the VSCode installation process from reaching out to external repositories, which could have triggered warnings or integrity checks. Since the dependencies were already present and appeared to be legitimate open-source packages, the extensions passed initial scrutiny.

The attackers also took advantage of the fact that many developers do not thoroughly inspect the contents of extension packages before installation, especially when the publisher appears reputable or the extension is highly rated. This behavioral blind spot allowed the malicious code to propagate to developer environments with minimal resistance.

Supply Chain Implications: Risks to Developer Workstations and Beyond

The compromise of developer tools like VSCode through malicious extensions represents a high-impact supply chain attack vector. Developers are often entrusted with sensitive source code, credentials, and access to critical infrastructure. By infecting a developer’s workstation, attackers can potentially exfiltrate intellectual property, insert backdoors into software projects, or pivot to broader organizational networks.

The campaign described in the December 2025 incident highlights the systemic risk posed by compromised extensions. Once installed, the malicious code could execute arbitrary payloads, such as the Rust-based trojan and LoLBin, with the same privileges as the developer. This could lead to credential theft, unauthorized access to private repositories, and the spread of malware to other systems via shared codebases or continuous integration/continuous deployment (CI/CD) pipelines.

Supply chain attacks of this nature are particularly insidious because they exploit trust relationships between developers and the tools they use. The attackers’ ability to remain undetected for months—since February 2025 in this case—demonstrates the effectiveness of their tactics and the challenges faced by defenders in identifying such threats (BleepingComputer, 2025).

Defensive Recommendations: Inspection and Verification Strategies

Given the evolving sophistication of supply chain attacks targeting developer tools, several defensive measures are recommended to mitigate risk:

• Manual Inspection of Bundled Dependencies: Developers and security teams should scrutinize extension packages for bundled dependencies, especially when these are not fetched from trusted sources like the official npm registry. Any deviation from standard dependency management practices should be treated as a potential red flag.

• Automated Static and Dynamic Analysis: Incorporating automated tools that perform both static code analysis and dynamic behavior monitoring can help detect obfuscated or suspicious code within extension packages. These tools should be updated regularly to recognize new obfuscation patterns and attack techniques.

• Publisher Reputation Verification: Extensions should only be installed from reputable publishers with a history of trustworthy contributions. New or unknown publishers, particularly those offering multiple extensions with similar versioning and naming conventions, warrant additional scrutiny.

• Continuous Monitoring for Indicators of Compromise: Organizations should implement endpoint detection and response (EDR) solutions to monitor developer workstations for signs of compromise, such as unexpected process executions (cmstp.exe) or network connections initiated by IDE processes.

• Education and Awareness: Developers should be educated about the risks of supply chain attacks and encouraged to adopt a security-first mindset when selecting and installing extensions. Regular training on how to identify suspicious packages and report potential threats is essential.

• Prompt Response to Disclosures: When malicious extensions are discovered and reported, as was the case with the 19 extensions in this campaign, affected users should immediately scan their systems for compromise and remove any suspicious packages. Organizations should maintain an incident response plan tailored to supply chain threats in the development environment.

By implementing these strategies, the risk of falling victim to similar attacks can be significantly reduced, even as threat actors continue to refine their techniques to evade detection and compromise the software supply chain (ReversingLabs, 2025).

Final Thoughts

The VSCode Marketplace incident is a stark reminder that even trusted developer tools can become vectors for sophisticated supply chain attacks. By leveraging clever obfuscation, file masquerading, and the bundling of malicious dependencies, attackers managed to infiltrate developer environments with alarming stealth. This campaign underscores the importance of not just relying on marketplace reputation or automated checks, but also adopting a layered defense strategy: manual inspection, robust static and dynamic analysis, and ongoing education for developers (BleepingComputer, 2025).

As attackers continue to refine their techniques, organizations must stay proactive—scrutinizing every extension, monitoring for unusual activity, and fostering a culture of security-first thinking. The lessons from this incident are clear: trust, but verify, and always be prepared for the unexpected (ReversingLabs, 2025).

References

• BleepingComputer. (2025). Malicious VSCode Marketplace extensions hid trojan in fake PNG file. https://www.bleepingcomputer.com/news/security/malicious-vscode-marketplace-extensions-hid-trojan-in-fake-png-file/