Screenshot showing Visual Studio Code Marketplace vulnerability warning.
Critical Flaw in Visual Studio Code Marketplace Exposes Developers to Malware Risks
A security vulnerability in the Visual Studio Code (VS Code) Marketplace allows attackers to reuse names of previously deleted extensions, enabling them to distribute malicious software under seemingly legitimate names. This flaw, discovered by cybersecurity researchers at ReversingLabs, poses a significant risk to developers worldwide.
Details of the Vulnerability
The loophole permits threat actors to republish extensions using the same name as those previously removed from the VS Code Marketplace. For instance, researchers identified a malicious extension named “ahbanC.shiba,” which mimicked two earlier extensions, “ahban.shiba” and “ahban.cychelloworld,” flagged in March 2025. These extensions act as downloaders, retrieving a PowerShell script from an external server that encrypts files in a “testShiba” folder on a victim’s Windows desktop and demands a Shiba Inu cryptocurrency token for recovery. The similarity in names exploits the trust developers place in familiar extensions, increasing the likelihood of infection.
According to VS Code documentation, extension names should be unique and lowercase without spaces. However, researcher Lucija Valentić found that once an extension is removed (not unpublished), its name becomes available for reuse. This differs from unpublished extensions, which retain their names. A similar issue exists in the Python Package Index (PyPI), though PyPI restricts reuse of names for malicious packages, a safeguard absent in the VS Code Marketplace.
Implications for Developers
This vulnerability heightens the risk of supply chain attacks, where attackers exploit trusted platforms to distribute malware. If a popular, legitimate extension is removed, its name could be reused to publish malicious code, tricking developers into installing it. The malicious extensions in this case were designed to deploy ransomware, highlighting the potential for significant harm, such as data loss or financial extortion.
Response and Mitigation
Microsoft has not yet implemented restrictions to prevent name reuse for deleted extensions, unlike PyPI’s approach. Developers are advised to:
- Install extensions only from trusted publishers on the official VS Code Marketplace.
- Verify extension authenticity by checking publisher details and reviews.
- Use security tools to scan for malicious code in installed extensions.
- Regularly monitor and update development environments to mitigate risks.
Conclusion
The VS Code Marketplace vulnerability underscores the growing threat of supply chain attacks targeting open-source platforms. Developers must exercise caution when installing extensions and adopt proactive security measures to protect their systems. Enhanced vetting and restrictions on name reuse by Microsoft could help mitigate this risk in the future.
