At the end of November, a team of bug hunters uncovered an infection chain that began with a seemingly harmless GitHub repository. Masquerading as a Visual Studio Code project, it concealed VBScript files linked to the Anivia loader and the multifunctional remote-access tool OctoRAT. Investigators determined that the malicious chain was being propagated through a counterfeit VSCode extension capable of silently executing multiple stages of harmful code.
According to Checkmarx Zero, on 21 November an extension titled “prettier-vscode-plus” appeared in the official Visual Studio Code marketplace, posing as the popular Prettier code formatter. It managed to accrue only a handful of downloads, yet that was enough to trigger a multistage compromise. The extension delivered a VBScript file, which deployed a PowerShell component containing AES-encrypted data. From there, the Anivia loader executed, using process hollowing and covert payload decryption, ultimately delivering OctoRAT onto the system.
The team traced activity within a GitHub repository operated under the name biwwwwwwwwwww, where new variants of the VBS scripts were uploaded and deleted on a rolling basis — a tactic designed to evade static signatures. The files were uploaded through GitHub’s web interface, minimizing technical artifacts and reducing attribution risk. This approach allowed the attacker to rapidly rotate payloads while preserving the overall attack vector.
Analysis by Hunt.io revealed that Anivia injected its decrypted binary into the legitimate process vbc.exe, complicating detection. The next stage was OctoRAT — an advanced remote-administration toolkit capable of collecting system information, stealing browser credentials, accessing cryptocurrency wallets, and establishing persistence via the Task Scheduler. OctoRAT supports dozens of commands, including service manipulation, registry operations, proxy channel creation, and the disabling of Windows security mechanisms.
Researchers devoted particular attention to OctoRAT’s command-and-control infrastructure. Internet scanning uncovered control panels masquerading as “OctoRAT Center.” Repeated HTML characteristics helped identify at least seven active servers. Further pivoting through X.509 certificates exposed a broad constellation of nodes tied to a single operator across multiple European hosting providers, underscoring the depth and sprawl of the infrastructure.
The events surrounding these malicious VSCode extensions highlight the growing interest of threat actors in developer-focused supply chains. Rapid payload rotation, adept abuse of system processes, and stealthy privilege-escalation methods illustrate a broader trend: attacks are becoming quieter, more intricate, and increasingly aimed at those with access to critical systems and source code.