‘Ransomvibing’ Infests Visual Studio Extension Market
Summary
A malicious Visual Studio Code extension, published under the name “susvsex,” openly advertised that it encrypted, zipped and uploaded files to a remote command-and-control (C2) server. Research by Secure Annex founder John Tuckner shows the extension was likely “vibe coded” — generated by an AI model using natural-language prompts — and exhibited telltale signs such as excessive comments, verbose logging and odd implementation choices (including a hardcoded decryption key).
The extension used a private GitHub repository as a C2 channel and included both Python and Node decryptors. Microsoft removed the extension after it was reported, but the incident raises concerns about marketplace moderation, the lowering of the attacker skill floor via AI, and the potential for more polished, dangerous AI-generated malware arriving via trusted distribution channels.
Key Points
- “Ransomvibing” describes ransomware written via “vibe coding” (AI-generated code) and published as a VS Code extension.
- The susvsex extension openly stated it would zip, encrypt and upload files to a remote C2 repository (a private GitHub repo).
- Code signs it was AI-generated: lots of comments, extensive logging and strange design choices (for example, a hardcoded decryption key).
- The extension included multiple decryptor implementations (Python and Node), suggesting automated generation rather than a seasoned operator.
- Microsoft removed the extension after reporting, but the response process and moderation gaps worry researchers.
- The incident highlights a new supply-chain/trusted-channel risk: AI can lower the skill floor and enable hobbyist actors to publish damaging code.
Context and Relevance
This matters because AI-generated code is now common in legitimate development workflows — and adversaries are following the same path. Vibe-coded malware can be produced quickly and cheaply, increasing the chance of low-effort but high-impact threats appearing in trusted marketplaces. For organisations and developers that rely on VS Code extensions, this incident underlines the need for stricter vetting, runtime controls and monitoring of extension behaviour and updates.
It also ties into broader trends: AI-assisted phishing and malware have already appeared, and proof-of-concept AI ransomware research exists. The real danger is not the crude examples today but the potentially sophisticated, AI-hardened variants that could slip through moderation and spread via auto-updates or one-click installs.
Why should I read this?
Short version: someone got ransomware into the VS Code Marketplace — yes, really. If you install extensions, manage developer workstations, or protect supply chains, this is a useful wake-up call. Take five minutes to check your extension policies and add basic controls — we’ve done the legwork so you don’t have to dig through the full research unless you want the nitty-gritty.
Author’s take
Punchy and simple: this is a red flag for every dev team and security ops group. The example was sloppy, but sloppy today can become polished tomorrow. Read the details, tighten your extension controls, and treat marketplace code as a potentially hostile dependency.