A dangerous malware campaign has targeted thousands of developers through a fake extension on the Visual Studio Code Marketplace. On November 21, 2025, security researchers discovered a malicious extension named “prettier-vscode-plus” designed to trick developers into installing it by mimicking the legitimate Prettier code formatter. This attack highlights the ongoing threat of brandjacking malware within software development ecosystems.
The malicious extension operated as a brandjacking attack, leveraging the popularity of the genuine Prettier extension to deceive users. Developers seeking formatting tools were particularly vulnerable. Checkmarx security researchers identified and reported the extension quickly, leading to its removal from the marketplace within four hours of its publication. Despite the rapid response, the extension managed to accrue six downloads and three installations before its removal from the marketplace.
Anivia Stealer Malware Discovered in Malicious VSCode Extension
Checkmarx security analysts identified that the “prettier-vscode-plus” extension deployed a variant of the Anivia Stealer malware. This credential-stealing tool is designed to harvest sensitive information specifically from Windows systems. The malware’s primary objective was to exfiltrate login credentials, metadata, and private communications, including sensitive WhatsApp chats. This discovery revealed a sophisticated attack aimed at compromising developer accounts and stealing valuable authentication data.
Multi-Stage Attack Infrastructure and Evasion Tactics
The malware employed a sophisticated multi-stage deployment process engineered to evade detection by common security tools. The initial stage involved acquiring payload data as a base64-encoded blob from a GitHub repository. This data was then used to write VBScript code to the system’s temporary directory, which served as an execution bootstrap mechanism.
The VBScript subsequently triggered PowerShell commands. These commands decrypted the base64 blob using an AES encryption key, identified as “AniviaCryptKey2024!32ByteKey!HXX,” directly in memory. This in-memory decryption technique significantly reduced detectable forensic artifacts, making the attack more challenging for endpoint security systems to track.
The final stage of the attack utilized Reflection.AssemblyLoad to execute the decrypted binary from memory. This process called the entry point labeled “Anivia.AniviaCRT” to activate the stealer’s full functionality. This advanced technique left minimal evidence of infection, with temporary file presence being the only notable disk activity.
Furthermore, the malware incorporated advanced evasion techniques designed to avoid detection in sandbox environments. It checked for indicators such as small CPU counts and limited RAM availability, common characteristics of virtualized detonation chambers, to avoid triggering its malicious payload.
The intricate architecture of the Anivia Stealer, as observed in this VSCode extension, indicates that the threat actors behind it possess considerable technical skill. Their development of an attack specifically designed to bypass endpoint detection and response (EDR) solutions poses a significant risk to the software development community and their sensitive data.
The rapid detection and removal of this malicious VSCode extension are positive developments, demonstrating the vigilance of security researchers. However, the case serves as a stark reminder of the persistent threats targeting developers and the need for continuous security awareness and robust defense mechanisms within the software supply chain. Developers are encouraged to remain vigilant, verify the authenticity of extensions before installation, and ensure their security software is up-to-date.