Cybersecurity experts have discovered ransomware hidden within two Visual Studio Code (VSCode) Marketplace extensions, raising concerns about Microsoft’s ability to detect malicious software in its platform. The compromised extensions, named “ahban.shiba” and “ahban.cychelloworld,” were downloaded by users before security researchers flagged them and they were subsequently removed.
Despite Microsoft’s security measures, the extensions remained publicly accessible for a significant period, highlighting potential gaps in the company’s review process.
The “ahban.cychelloworld” extension was first uploaded on October 27, 2024, followed by “ahban.shiba” on February 17, 2025. The VSCode Marketplace, designed to provide developers with additional tools for Microsoft’s popular coding platform, has come under scrutiny for failing to identify these threats.
Researchers at ReversingLabs determined that both extensions included a PowerShell script that connected to a remote Amazon Web Services (AWS) server to download further malicious code. This secondary payload functioned as ransomware, though evidence suggests it was still in a testing phase.
Unlike traditional ransomware that encrypts entire systems, this malware specifically targeted files stored in C:\users%username%\Desktop\testShiba. Once the encryption was complete, victims received a Windows notification stating: “Your files have been encrypted. Pay 1 ShibaCoin to Shiba
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: