Critical Flaw in VS Code Marketplace Puts Developers at Risk
Experts at ReversingLabs have uncovered a critical loophole in the VS Code Marketplace. The platform allows new extensions to be published under the same names previously used by other packages, provided those packages were deleted rather than unlisted. Malicious actors are exploiting this gap to disguise harmful code under the names of once-popular extensions, posing a significant threat to the entire software supply chain.
The investigation was prompted by a campaign first observed in March 2025, when malicious extensions ahban.shiba and ahban.cychelloworld were discovered delivering a second-stage payload. At the time, this payload was an early version of ransomware that operated on a test folder on the desktop. Though these extensions were removed, a new one — ahbanC.shiba — appeared in June, reusing the familiar shiba name but under a different publisher. It exhibited the same malicious behavior, including downloading scripts from an external server and encrypting files, though no cryptocurrency wallet for ransom payment was provided.
According to VS Code Marketplace documentation, each extension must have a unique name. However, when an extension is deleted (as opposed to merely unlisted), its name becomes available for reuse. One striking example was the reappearance of the name Solidity-Ethereum, previously associated with malware.
The flaw lies in how the platform handles extension identifiers. In VS Code, each extension is tied to a unique ID in the format <publisher>.<name>. While the system tracks IDs, it does not preserve the deletion history of names. Thus, once an extension is deleted, the associated name becomes free for re-registration. This creates an exploitable window: attackers simply wait for an author to delete an extension and then claim the abandoned name to distribute malicious code.
Such attacks are particularly dangerous when they mimic well-known tools that have already been referenced in documentation or earned a strong reputation. Developers may overlook the substitution if they trust the name, especially when using automated dependency installation processes.
A similar tactic has been observed in other ecosystems. In 2023, PyPI suffered an attack in which the previously deleted package termcolour was reused to distribute malware. Following that incident, PyPI administrators began blocking the reuse of names linked to malicious packages. By contrast, the VS Code Marketplace has yet to implement a comparable safeguard.
The timeline of the shiba campaign reveals that the first malicious versions appeared in October 2024, the last update occurred in March 2025, and by March 24 a new version with a different ID but the same name was uploaded. In June, it was unlisted (but not deleted), meaning it could still be restored at any time.
These findings highlight how vulnerable even official extension platforms remain. Despite safeguards such as review processes and moderation, the ability to reuse names of deleted packages continues to represent a severe security gap. ReversingLabs urges developers to exercise caution when selecting extensions — particularly those recently published or reappearing under previously trusted names.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
