AI-generated ransomware extension found on Visual Studio Marketplace

A Visual Studio Code (VS Code) extension with ransomware capabilities, believed to be “vibe coded” using generative AI, was discovered in the official Visual Studio Marketplace, according to a blog post by Secure Annex published this week.

The extension, called susvsex and published by the user suspublisher18, clearly stated its malicious functionality in its description and shows several signs of AI generation, including excessive comments and “sloppy” implementation, Secure Annex Founder John Tuckner wrote in the blog post published Tuesday.

The extension is activated upon installation and immediately runs a function designed to encrypt files in a targeted directory and collect the original versions in a ZIP archive to be exfiltrated to the attacker’s server.

However, the extension appeared to be more of a test than a functional form of ransomware, as the target directory was configured to a test staging directory rather than a viable target.

Additionally, a decryption key and two different decryptors, also believed to be vibe coded, were included within the extension’s code.

In addition to its ransomware functionality, the susvsex extension established a command-and-control (C2) connection to a private GitHub repository, which it would periodically check for new commits and commands from index.html, Tuckner wrote. The output of these commands would be sent back to the GitHub repo written in the file requirements.txt.

A GitHub Personal Access Token (PAT) hardcoded in the extension allowed Tuckner to write his own commands to index.html and read the results from requirements.txt, potentially revealing information about the extension developer’s own machine. Tuckner successfully recovered information that appeared to correspond to the developer’s GitHub profile, which used the username aykhanmv and showed a location in Baku, Azerbaijan.

Despite the extension’s limited ability to cause damage in its current state, its publication in the Visual Studio Marketplace raised concerns about the marketplace’s review process. It also highlighted how threat actors are experimenting with AI for malware generation, with Tuckner dubbing susvsex an example of “ransomvibing.”

As of Friday afternoon, the susvsex extension was no longer available in the Visual Studio Marketplace.