Have you ever installed a Visual Studio Code (VS Code) extension on the belief it would make your life easier? Imagine a VS Code extension that locks up your files like a ransomware infection! Yes, this is what happened. Let me detail the path a fake “AI-Slop” ransomware test extension took to end up on the official VS code Marketplace.
The wild part? It is clearly stated it was here to protect your environmental data and to lock your files up for "ransom," using * AES-256-CBC encrypt.
Here’s what it did:
• When someone installed or opened it, it executed a command titled zipUploadAndEncrypt.
• It zipped your files, uploaded them to a hacker's server, and encrypted the original files on your machine.
• It connected through a secret access key to a private GitHub account and received more commands,
• The source code made it sound like it was AI generated, not written by an actual person.
• A security researcher named John Tuckner submitted a tip to Microsoft, but the extension remained online for a bit before it was removed.
Most of us think extensions from Microsoft's marketplace are safe. With this extension, there were noted is clear ransomware code, yet this was still allowed through.
AI-Generated Malware
The name "AI-Slop" comes from ugly code, the style looked like it was AI-generated. Not great code, by any stretch, but it still worked, and more importantly, could encrypt files. Yikes!
Not Just Targeting Random People
This attack did not target random people, it targeted developers. Think of all the potential loss of a project that you worked hard on because of one bad extension.
Microsoft Missed Major Red Flags
The extension had obvious red flags (like commands that send files off us). The extension was published anyway. This goes to show that even major platforms have a lot of room for improvement in regard to security checks.
What You Should Do
If you use VS Code, here’s how to protect yourself:
What Happened
A fake extension called “susvsex” was uploaded to Microsoft’s VS Code Marketplace under the name “suspublisher18.”The wild part? It is clearly stated it was here to protect your environmental data and to lock your files up for "ransom," using * AES-256-CBC encrypt.
Here’s what it did:
• When someone installed or opened it, it executed a command titled zipUploadAndEncrypt.
• It zipped your files, uploaded them to a hacker's server, and encrypted the original files on your machine.
• It connected through a secret access key to a private GitHub account and received more commands,
• The source code made it sound like it was AI generated, not written by an actual person.
• A security researcher named John Tuckner submitted a tip to Microsoft, but the extension remained online for a bit before it was removed.
Why This Should Be So Worrying
We Trusted the MarketplaceMost of us think extensions from Microsoft's marketplace are safe. With this extension, there were noted is clear ransomware code, yet this was still allowed through.
AI-Generated Malware
The name "AI-Slop" comes from ugly code, the style looked like it was AI-generated. Not great code, by any stretch, but it still worked, and more importantly, could encrypt files. Yikes!
Not Just Targeting Random People
This attack did not target random people, it targeted developers. Think of all the potential loss of a project that you worked hard on because of one bad extension.
Microsoft Missed Major Red Flags
The extension had obvious red flags (like commands that send files off us). The extension was published anyway. This goes to show that even major platforms have a lot of room for improvement in regard to security checks.
What You Should Do
If you use VS Code, here’s how to protect yourself:
- Only install trusted extensions with good reviews.
- Check who the publisher is — if it is new or unusual, don’t install it.
- Avoid extensions asking for too many permissions.
- Back up your projects frequently so you don’t lose them.
- If you work as part of a group, agree to a set of approved extensions all members may use safely.
