VS Code Marketplace Flaw Allows Attackers to Reuse Deleted Extension Names

VS Code Marketplace Flaw Allows Attackers to Reuse Deleted Extension Names

Cybersecurity researchers at ReversingLabs have identified a critical loophole in the Visual Studio Code Marketplace that allows threat actors to republish malicious extensions under the names of previously deleted ones.

🔍 What was found?

• Malicious extension “ahbanC.shiba” mimicked earlier flagged extensions (ahban.shiba, ahban.cychelloworld).
• These acted as downloaders for ransomware payloads, encrypting files and demanding Shiba Inu tokens as ransom.
• Although VS Code requires unique names, researchers discovered that deleted names become available for reuse by anyone.
• Similar issues exist in PyPI, though PyPI restricts reuse of names linked to malicious packages — a safeguard missing in VS Code.

📌 Wider Impact

• Leaked Black Basta chats show ransomware groups are actively targeting open-source registries.
• ReversingLabs also identified 8 malicious npm packages delivering Chrome stealers via 70 layers of obfuscated code.
• Stolen data includes passwords, credit cards, crypto wallets, and cookies.

⚠️ Why it matters
Open-source repositories are a growing attack surface:

• Attackers exploit typosquatting, masquerading, and package reuse.
• Risks extend to developers, enterprises, and end-users.

🔐 Recommendations

• Organizations must enforce secure coding and dependency monitoring.
• Adopt automated scanning and SBOM (software bill of materials) solutions.
• Treat removed extensions and packages as potential attack vectors.

At Alcaeus Services, we help organizations defend against supply chain attacks by securing open-source dependencies, automating vulnerability scanning, and ensuring full visibility across the software lifecycle.