While Microsoft has been busy promoting its AI tools, hackers were quietly slipping ransomware into the VSCode Marketplace. Security researchers recently uncovered two malicious extensions – “ahban.shiba” and “ahban.cychelloworld” – that managed to evade detection for months. Great job, security team.
The extensions, uploaded on October 27, 2024, and February 17, 2025, were downloaded a combined 15 times before removal. Not exactly viral, but enough to cause damage. They worked by executing a PowerShell script that downloaded ransomware code targeting specific directories on victims’ machines. The ransomware specifically targeted files in C:users%username%DesktopestShiba. Once active, the ransomware encrypted files and demanding payment of “1 ShibaCoin” – with zero instructions on how to actually pay. Amateur hour, apparently.
Microsoft’s response? Remove the extensions and apologize. They admitted to “gaps” in their review process – corporate speak for “we messed up.” Funny how they can build fancy AI assistants but can’t spot basic malware in their own marketplace.
Microsoft can build AI tools that change the world but can’t detect ransomware hiding in plain sight.
This isn’t Microsoft’s first rodeo with malicious extensions. The past year has seen multiple instances of extensions stealing sensitive information or serving as downloaders for more dangerous payloads. The pattern is clear. The vigilance is not.
The incident exposes critical vulnerabilities in Microsoft’s ecosystem. Developers install extensions with blind trust, assuming the marketplace’s gatekeepers are doing their job. They’re not. This issue is compounded by VSCode’s lack of permission management for installed extensions. These attacks mimic techniques seen with npm packages, showing how attackers are adapting their strategies across different platforms. Small businesses are especially vulnerable, with zero trust architecture becoming increasingly essential for protection against such supply chain attacks.
For Microsoft, this represents yet another blow to their security reputation. While they’re promising improved scanners and better investigation processes, their track record doesn’t inspire confidence. The VSCode Marketplace is becoming an attractive target for malicious actors, joining the growing list of software supply chain vulnerabilities.
Small extensions, big problems. Microsoft needs to do better. Developers deserve better protection than “oops, we’ll try harder next time.”
