Cybersecurity researchers have identified two harmful extensions in the Visual Studio Code
(VSCode) Marketplace that are designed to distribute an evolving ransomware strain to users.
The extensions, named "ahban.shiba" and "ahban.cychelloworld," have been removed by marketplace administrators.
According to ReversingLabs, both extensions contain code that executes a PowerShell command. This command retrieves a PowerShell script from a command-and-control (C2) server and runs it. The script appears to be an early-stage ransomware variant, currently encrypting only files within a folder named "testShiba" on the victim's Windows desktop.
After encryption, the script displays a message stating:
"Your files have been encrypted. Pay 1 ShibaCoin to ShibaWallet to recover them."
However, no further instructions or cryptocurrency wallet details are provided, suggesting that the malware is still in development.
This discovery follows a similar security alert from a few months ago when a software supply chain security firm flagged multiple malicious extensions. Some of these extensions disguised themselves as Zoom but contained hidden functionality to download an unidentified second-stage payload from a remote server.
Just last week, cybersecurity firm Socket reported a deceptive Maven package mimicking the scribejava-core OAuth library. This package stealthily collects and transmits OAuth credentials on the 15th of each month, using a time-based trigger to avoid detection.
The malicious library was uploaded to Maven Central on January 25, 2024, and remains available for download. Security researcher Kush Pandya noted that attackers used typosquatting—creating a nearly identical name to mislead developers into installing the malicious package.
Interestingly, this harmful package has six dependent packages, all mimicking legitimate ones but using the group ID "io.github.leetcrunch" instead of the authentic "com.github.scribejava" namespace.
This technique aims to make the malicious package appear legitimate, increasing the likelihood that unsuspecting developers will integrate it into their projects.
Found this article interesting? Follow us on X(Twitter) and Instagram to read more exclusive content we post.
