ReversingLabs researchers discovered a campaign of 19 malicious VS Code extensions that bundled modified dependencies to hide malware, including an archive disguised as a PNG that contained two malicious binaries. The attackers weaponized the popular npm package path-is-absolute (and in some cases used @actions/io), embedding a base64-reversed JavaScript dropper that decodes and launches payloads via cmstp.exe on VS Code startup. #path-is-absolute #VSCodeMarketplace
Keypoints
- ReversingLabs (RL) identified 19 malicious Visual Studio Code extensions on the VS Code Marketplace that contained tampered dependencies delivering malware.
- The campaign dated back to February 2025 and was discovered by RL on December 2, 2025.
- Threat actors modified the popular npm package path-is-absolute inside the extensions’ node_modules folders, adding malicious files and a class that triggers on VS Code startup.
- The attacker obfuscated a JavaScript dropper by base64 encoding and reversing it, storing it in a file named lock and embedding payloads inside a file named banner.png that was actually an archive with two binaries.
- Execution of the embedded binaries was performed using the living-off-the-land binary cmstp.exe; one binary emulated a key press to close the LOLBIN and the other is a Rust trojan under ongoing analysis.
- Four of the malicious extensions used the npm package @actions/io and stored the two binaries as separate .ts and .map files instead of a PNG archive.
- RL recommends inspecting and auditing extensions and dependencies before installation and using security tooling (e.g., Spectra Assure) to detect threats; all reported extensions were reported to Microsoft.
MITRE Techniques
- [T1195 ] Supply Chain Compromise – Attackers modified dependencies bundled inside VS Code extensions to deliver malware through the software supply chain [‘shifting deeper into the supply chain and abusing trusted components’]
- [T1036 ] Masquerading – The payload was disguised as an image file (banner.png) to hide malicious archives and evade casual inspection [‘banner.png, as it turned out, wasn’t an image file.’]
- [T1027 ] Obfuscated Files or Information – The dropper was obfuscated by base64 encoding and then reversing the output to conceal the JavaScript payload [‘obfuscated the dropper by base64 encoding the plain javascript file, followed by taking that base64 output blob and reversing it’]
- [T1059 ] Command and Scripting Interpreter – A JavaScript dropper decoded from a file named lock was executed to launch additional binaries [‘decode a javascript dropper contained inside a file named lock’]
- [T1218 ] Signed Binary Proxy Execution – The campaign used the legitimate Windows binary cmstp.exe to run malicious binaries (LOLBIN abuse) [‘running the two malicious binaries using “cmstp.exe,” a common living-of-the-land binary (LOLBIN)’]
- [T1105 ] Ingress Tool Transfer – Malicious binaries and payloads were delivered bundled inside VSIX extensions hosted on the VS Code Marketplace [‘bundled together into a single VS Code extension, ready to be shared as a .VSIX file or hosted on Microsoft’s VS Code Marketplace.’]
Indicators of Compromise
- [File name ] malicious files in dependency folders – banner.png (archive masquerading as image), lock (base64-reversed JavaScript dropper)
- [Package name ] modified npm dependencies used to deploy payload – path-is-absolute (modified locally inside extensions), @actions/io (used by four extensions to deploy payloads)
- [Binary name ] execution artifacts and payloads – cmstp.exe (LOLBIN used to run payloads), embedded Rust trojan binary inside the PNG archive (under analysis)
- [File extension ] disguised payload storage – .ts (TypeScript) and .map (sourcemap) files used to contain binaries in some extensions instead of a PNG archive
- [Detection ID ] security detection reference – RL Spectra Assure policy violation SQ30108 (ML detection flagged the Rust binary)
- [Extension artifact ] distribution container – 19 malicious VSIX-packaged VS Code extensions discovered on the VS Code Marketplace (extension names were reported to Microsoft)
Read more: https://www.reversinglabs.com/blog/malicious-vs-code-fake-image