A sophisticated supply chain attack has been uncovered, leveraging a malicious Visual Studio Code (VSCode) extension to distribute potent malware. The rogue extension, disguised as a legitimate code formatter, served as the entry point for deploying the Anivia loader and the OctoRAT remote access tool directly onto developers’ systems.
Security researchers from Hunt.io identified the threat after observing suspicious VBScript downloads originating from a GitHub repository. This repository, named ‘vscode’ and associated with the account ‘biwwwwwwwwwww,’ housed the malicious scripts that were pulled by the fake extension, identified as ‘prettier-vscode-plus.’ The extension, which briefly appeared in the official VSCode Marketplace before being removed, posed a significant risk to developers by integrating malware delivery into their daily coding workflows.
Infection Chain and Anivia Loader Behavior
The attack commences with the installation of the malicious VSCode extension. Once the developer opens a project, the extension clandestinely fetches an obfuscated VBScript file from the compromised GitHub repository. This VBScript acts as the initial dropper, initiating a multi-stage infection process.
This first-stage script is designed to operate stealthily. It creates a random PowerShell file within the user’s temporary folder and populates it with malicious code. The script then executes this PowerShell loader with flags that bypass the PowerShell execution policy, ensuring its operation without user interaction or visible windows. This sophisticated technique allows the malware to run in the background, unnoticed by the targeted developer.
The PowerShell loader proceeds to decrypt an embedded payload using AES-256 encryption in CBC mode. This decrypted payload is then executed directly in memory, a common tactic employed by advanced malware to evade detection by traditional antivirus software. Following this, the Anivia loader takes control, storing its encrypted payload in a byte array. It utilizes a hard-coded key to decrypt a portable executable, which is the next critical component of the attack chain.
For further stealth and to bypass endpoint security measures, the Anivia loader employs a technique known as process hollowing. It injects the decrypted portable executable into a legitimate and trusted process, such as vbc.exe. This makes the malicious activity appear as part of normal system operations, making it significantly harder for security tools to flag it as suspicious.
Once successfully injected, the final payload, OctoRAT, becomes active. This potent remote access trojan then establishes persistence on the compromised system by creating a scheduled task named “WindowsUpdate,” configured to run at minute intervals. This ensures that OctoRAT can restart and maintain its presence even after the system is rebooted. Finally, OctoRAT opens an encrypted command channel to attacker-controlled servers, allowing threat actors to remotely control the infected developer’s machine.
The capabilities of OctoRAT are extensive, enabling attackers to execute arbitrary commands, steal sensitive data from browsers and cryptocurrency wallets, and gain full remote desktop control. While the fake extension reportedly had a limited number of installations, the high-value nature of the targeted developers—who possess access to valuable source code and production systems—makes this a particularly concerning threat. The effective combination of a disguised extension, a stealthy loader, and a powerful RAT demonstrates a significant advancement in malicious actors’ methods for infiltrating developer environments and compromising critical infrastructure.
Investigations into this supply chain attack are ongoing, with security researchers continuing to monitor the activities of the identified threat actors and their infrastructure. The swift removal of the malicious extension from the VSCode Marketplace highlights the rapid response capabilities of platform vendors, but the potential for similar attacks remains a persistent concern for the software development community.