'Ransomvibing' Infests Visual Studio Extension Market

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTogether, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.A published VS Code extension didn't hide the fact that it encrypts and exfiltrates data and also failed to remove obvious signs it was AI-generated.November 7, 2025The threat actor skill floor may soon lower as vibe coded ransomware has seemingly been published as an extension for Microsoft's AI code editor Visual Studio Code (VS Code).John Tuckner, founder of software extension management provider Secure Annex, published a research blog post Nov. 4 describing what he referred to as "ransomvibing," or vibe-coded ransomware. It was an extension published to Visual Studio Marketplace and, unusually, does not appear to hide the fact that it encrypts and exfiltrates data. The extension, Tuckner wrote, "shows obvious signs of it being vibe coded."Vibe coding, the practice of using natural language to instruct an AI model to generate software code, quickly became a prominent use case for LLMs. Given how prolific AI-generated code is in legitimate organizations, it stands to reason threat actors would follow suit sooner or later. In the broader threat actor ecosystem, threat actors have leveraged AI for malware and phishing email generation, but top-to-bottom vibe-coded ransomware is unusual, if not mostly unheard of. That said, New York University's Tandon School of Engineering recently made an AI ransomware proof-of-concept that was later dubbed "PromptLock" by researchers. Although this malicious extension, published under the name "susvsex," acts as a crude example, it begs the question of how far the concept of "AI-generated ransomware" can be pushed.Related:Sora 2 Makes Videos So Believable, Reality Checks Are RequiredThe susvsex extension's listing on VS Marketplace (now removed) is remarkably blatant, advertising in the description that it "automatically zips, uploads, and encrypts files" to a remote command and control (C2) server. The extension was also published by "suspublisher18," presumably short for "suspicious publisher." The ransomware conducts many of the functions common with ransomware and pure data extortion attacks, Tuckner observed, though the extension had several giveaways that it was most likely AI generated. On a code basis, Tuckner noted the extensive use of comments (a telltale sign of AI code) and certain decisions that would appear nonsensical to a typical ransomware actor. For example, Tuckner noted that "conveniently for potential victims, the extension includes the hardcoded decryption key as well as two different vibe coded decryptors — Python and Node versions." Once files are encrypted, the extension sets up a private C2 channel in the form of a private GitHub repository. "The extension will periodically check the repository for new commits and commands from index.html," Tuckner wrote. "Kindly, there was a lot of effort put in to logging each step of the C2 execution making it easy to follow along (another great sign this malware was crafted using AI)."Related:Multiple ChatGPT Security Bugs Allow Rampant Data TheftAs the malicious extension was published so blatantly, Dark Reading asked Tuckner how he thought it was published in the first place. In an email, he explains it's likely an amateur "playing around" to see if they can get ransomware published on a Microsoft-hosted marketplace. "It does make me worry that this type of behavior might become hobbyist in nature," Tuckner says.This example of vibe-coded ransomware was so rough, and the concept so nascent, that it's not so easy to offer guidance or countermeasures that don't reflect typical security best practices. If there is one takeaway, it may be one Tuckner raises in email as well as the research: How was an extension this blatantly malicious published to the VS Code marketplace?"I'm incredibly worried about the amount of care Microsoft puts into the Visual Studio Marketplace moderation. This was a brazen piece of malware which should have been caught by any number of checks," Tuckner says. "I reported it through two channels, the 'Report a concern' email listed on the marketplace page and through [Microsoft Security Response Center]. The MSRC submission was determined out of scope and closed. The Marketplace Support requested more information before following up later with a removal notice."Related:APT 'Bronze Butler' Exploits Zero-Day to Root Japan OrgsTuckner adds that he's most worried about the advent of more sophisticated ransomware, possibly supported by AI, which will make "its way into a trusted Microsoft distribution channel and be able to make an impact with as little as one click or through an auto update of an extension.""We appreciate Secure Annex for responsibly reporting this issue," a Microsoft spokesperson tells Dark Reading. "We investigated and have removed the extension." The spokesperson adds that every extension page includes a "Report abuse" link, that Microsoft investigates all reports of abuse, and that Marketplace can be fully blocked at the firewall level if desired."When a malicious extension is reported and verified, or a vulnerability is found in an extension dependency," the spokesperson adds, "the extension is removed from the Marketplace, added to a block list, and automatically uninstalled by VS Code."Alexander CulafiSenior News Writer, Dark ReadingAlex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels.2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesYou May Also LikeNov 13, 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesPKI Modernization WhitepaperEDR v XDR v MDR- The Cybersecurity ABCs ExplainedHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.