A malicious campaign involving 19 Visual Studio Code extensions has been uncovered, hiding malware in dependency folders. Active since February 2025, the campaign abuses a legitimate npm package to avoid detection and crafts an archive containing malicious binaries disguised as a PNG image. The attackers modified the popular 'path-is-absolute' package, adding malicious files that are only present when installed through the compromised extensions. The malware is activated when VS Code starts, decoding a JavaScript dropper and executing two malicious binaries using a living-off-the-land binary. This sophisticated attack demonstrates the evolving techniques of threat actors, targeting the VS Code Marketplace and exploiting trusted components to evade detection.