Security researchers at ReversingLabs have uncovered a significant security threat in the Visual Studio Code Marketplace, where two extensions were found containing hidden ransomware capabilities. The compromised extensions — ahban.shiba and ahban.cychelloworld — evaded detection for several months, exposing critical gaps in the marketplace’s update validation process.
Technical Analysis of the Malicious Extensions
Both extensions used obfuscated PowerShell commands to retrieve and execute malicious scripts from a remote Amazon AWS server. The ransomware was in a testing phase, with encryption capabilities deliberately limited to a single directory: C:\users\%username%\Desktop\testShiba — a controlled proof-of-concept deployment designed to validate the payload before wider release.
Infection Timeline and Evolution
The threat emerged when ahban.cychelloworld was published on October 27, 2024, followed by ahban.shiba on February 17, 2025. According to ExtensionTotal researcher Itali Kruk, the initial version of ahban.cychelloworld was clean, but malicious code was introduced in version 0.0.2 on November 24, 2024. Five further updates containing malicious payloads were subsequently pushed to users before Microsoft removed the extensions.
Ransomware Characteristics and Behavior
The malware displayed a simplified ransom demand: “Your files are encrypted. Pay 1 ShibaCoin to ShibaWallet to restore them.” Unlike mature ransomware strains, this variant lacked detailed payment instructions or a C2 communication channel — consistent with a proof-of-concept that had not yet reached full deployment.
Developers Who Installed Malicious VS Code Extensions from Marketplace
Any developer who installed ahban.shiba or ahban.cychelloworld from the VS Code Marketplace between October 2024 and early 2025 should treat their development machine as potentially compromised. The low reported install count (7–8 downloads) does not rule out broader exposure, as marketplace statistics can lag or be manipulated. Organizations using shared development environments or build servers where these extensions were installed face the highest risk.
What Developers and Security Teams Should Do
- Search all developer workstations and build servers for the extensions ahban.shiba and ahban.cychelloworld; uninstall immediately if found.
- Inspect the directory
C:\users\%username%\Desktop\testShibafor encrypted files and check PowerShell execution logs for unexpected outbound connections to AWS endpoints. - Rotate all credentials, tokens, and API keys stored or accessible on affected machines.
- Enforce an organizational extension allowlist by configuring VS Code with a
extensions.allowedpolicy in group policy or settings management. - Review the VS Code Marketplace extension audit process and subscribe to security notifications from the Microsoft Security Response Center for future marketplace threats.
Security Implications for the VS Code Ecosystem
This incident highlights a systemic risk in extension marketplaces: malicious code can be introduced through post-publication updates, bypassing initial review. Microsoft’s delayed response — despite automated scans flagging the threat — demonstrates that low-install-count extensions receive lower scrutiny. Developers and security teams should treat any VS Code extension update as a potential supply chain risk and maintain regular audits of installed extensions across all development environments.
