Ransomvibe

Ransomvibe is a ransomware-style malicious payload embedded in a Visual Studio Code extension discovered by Secure Annex. Researchers identified it in a malicious extension listed in the VS Code Marketplace, including names such as 'suspublisher18.susvsex' / 'suspicious VSX,' published under a 'Suspicious publisher' alias. Upon activation, the extension executed a function named 'zipUploadAndEcnrypt,' which performed ransomware-typical behavior including file encryption and data exfiltration. The package was configured via package.json to activate broadly, including on installation or any event, and extension.js contained hardcoded server URLs, encryption keys, command-and-control targets, and polling intervals. Ransomvibe used a GitHub-based C2 model, polling an index.html file in a private repository for commands and writing results to requirements.txt using a bundled GitHub Personal Access Token. The package also contained Python and Node-based decryptors and a hardcoded decryption key, indicating low sophistication and possible test or proof-of-concept use. Researchers also noted signs of AI-generated code. The target directory for encryption was reportedly set to a test environment, but the extension could be updated or remotely controlled for broader impact. Secure Annex reported that the package README and marketplace description openly described malicious functionality, yet it still bypassed Microsoft's marketplace review process. Microsoft later removed the extension. High-confidence indicators and artifacts mentioned in the reporting include the function name 'zipUploadAndEcnrypt,' the malicious extension names 'suspublisher18.susvsex' / 'suspicious VSX,' GitHub-based C2 using index.html and requirements.txt, bundled decryptors in Python and Node, and a hardcoded decryption key. Evidence from the exposed attacker environment pointed to a GitHub user in Baku, though attribution to a known threat actor was not established.