{
  "name": "VS Code extensions contain trojan-laden fake image",
  "slug": "vs-code-extensions-contain-trojan-laden-fake-image",
  "description": "A malicious campaign involving 19 Visual Studio Code extensions has been uncovered, hiding malware in dependency folders. Active since February 2025, the campaign abuses a legitimate npm package to avoid detection and crafts an archive containing malicious binaries disguised as a PNG image. The attackers modified the popular 'path-is-absolute' package, adding malicious files that are only present when installed through the compromised extensions. The malware is activated when VS Code starts, decoding a JavaScript dropper and executing two malicious binaries using a living-off-the-land binary. This sophisticated attack demonstrates the evolving techniques of threat actors, targeting the VS Code Marketplace and exploiting trusted components to evade detection.",
  "published": "2025-12-11T11:06:21+00:00",
  "created_at": "2025-12-11T11:06:21+00:00",
  "modified_at": "2025-12-21T17:58:23+00:00",
  "created_at_opencti": "2025-12-11T11:06:21+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-12-11",
    "npm",
    "rust trojan",
    "vs code"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "legacy:malware:d19722e2836921fa",
        "name": "Rust trojan",
        "slug": "rust-trojan"
      }
    ],
    "attack_patterns": [
      {
        "id": "f32c7a65-b5a5-46ec-a8c7-d06ca5d27380",
        "name": "T1553.005"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2",
        "name": "T1059.007"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "6a495275-5433-4b64-90e5-18b9f07296da",
        "name": "T1072"
      }
    ]
  },
  "external_refs": [
    "https://www.reversinglabs.com/blog/malicious-vs-code-fake-image",
    "https://otx.alienvault.com/pulse/693ab3bdc362cbadf7dbb34f"
  ]
}