Close Menu
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
What's Hot

Transport and mobility needs to change the approach to net zero

Chinese hacker Xu Zewei has been arrested for linking between silk typhoon groups and US cyberattacks

Includes Microsoft Patch 130 vulnerabilities, important flaws in SPNEGO and SQL Server

Facebook X (Twitter) Instagram
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
Facebook X (Twitter) Instagram
Fyself News
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
Fyself News
Home » VScode Marketplace removes two extensions that deploy early stage ransomware
Identity

VScode Marketplace removes two extensions that deploy early stage ransomware

userBy userMarch 24, 2025No Comments2 Mins Read
Share Facebook Twitter Pinterest Telegram LinkedIn Tumblr Email Copy Link
Follow Us
Google News Flipboard
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

March 24, 2025Ravi LakshmananMalware/Encryption

VSCODE Marketplace

Cybersecurity researchers have discovered two malicious extensions in the Visual Studio Code (VSCODE) marketplace, designed to deploy ransomware that is being developed to users.

The extensions named “ahban.shiba” and “ahban.cychhelloworld” were then defeated by market maintainers.

For each ReversingLabs, the extension incorporates code designed to invoke PowerShell commands, grabs and executes the PowerShell-Script payload from the Command and Control (C2) server.

Cybersecurity

The payload is suspected of being ransomware in early stage development, and only encrypts files in a folder called “Testshiba” on the victim’s Windows desktop.

Once the files are encrypted, a message will appear in the PowerShell payload and say, “The files are encrypted. Pay Shiva Wallet to 1 Shiva Coin and recover them.”

However, no other instructions or cryptocurrency wallet addresses have been provided to the victim. This indicates that malware is likely under development by threat actors.

The development comes months after the software supply chain security company flagged some malicious extensions. Some malicious extensions spoofed Zoom, but they had the ability to download unknown second stage payloads from remote servers.

VSCODE Marketplace

Last week, Socket detailed a malicious Maven package that impersonated the Scribejava-Core Oauth library, which secretly harvests and removes OAuth qualifications on the 15th day of each month, highlighting a time-based triggering mechanism designed to avoid detection.

The library was uploaded to Maven Central on January 25th, 2024. It continues to be available for download from the repository.

Cybersecurity

“The attackers used typecutting. They tricked the developer into creating almost identical names to add malicious packages,” says security researcher Kush Pandya. “Interestingly, this malicious package has six dependent packages.”

“They are all type-scooting legal packages, but instead of the actual namespace (com.github.scribejava) they share the same GroupID (io.github.leetcrunch).”

In adopting this approach, the idea is to increase the perceived legitimacy of malicious libraries and increase the likelihood that developers will download and use in their projects.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read exclusive content you post.

Source link

Follow on Google News Follow on Flipboard
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Previous ArticleCarbon negative construction produces stronger building materials
Next Article GitHub Supply Chain Attack, AI Malware, BYOVD Tactics, and More
user
  • Website

Related Posts

Chinese hacker Xu Zewei has been arrested for linking between silk typhoon groups and US cyberattacks

July 9, 2025

Includes Microsoft Patch 130 vulnerabilities, important flaws in SPNEGO and SQL Server

July 9, 2025

Hackers use leaked shelter tool licenses to spread Lumma Stealer and Sectoprat malware

July 8, 2025
Add A Comment
Leave A Reply Cancel Reply

Latest Posts

Transport and mobility needs to change the approach to net zero

Chinese hacker Xu Zewei has been arrested for linking between silk typhoon groups and US cyberattacks

Includes Microsoft Patch 130 vulnerabilities, important flaws in SPNEGO and SQL Server

Changing your approach to antibiotics

Trending Posts

Subscribe to News

Subscribe to our newsletter and never miss our latest news

Please enable JavaScript in your browser to complete this form.
Loading

Welcome to Fyself News, your go-to platform for the latest in tech, startups, inventions, sustainability, and fintech! We are a passionate team of enthusiasts committed to bringing you timely, insightful, and accurate information on the most pressing developments across these industries. Whether you’re an entrepreneur, investor, or just someone curious about the future of technology and innovation, Fyself News has something for you.

Robots Play Football in Beijing: A Glimpse into China’s Ambitious AI Future

TwinH: A New Frontier in the Pursuit of Immortality?

Meta’s Secret Weapon: The Superintelligence Unit That Could Change Everything 

Unlocking the Power of Prediction: The Rise of Digital Twins in the IoT World

Facebook X (Twitter) Instagram Pinterest YouTube
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
© 2025 news.fyself. Designed by by fyself.

Type above and press Enter to search. Press Esc to cancel.