A harmful malware marketing campaign has focused 1000’s of builders by a pretend extension on the Visible Studio Code Market.
On November 21, 2025, safety researchers found a malicious extension named “prettier-vscode-plus” designed to trick builders into putting in it by mimicking the professional Prettier code formatter.
The extension exploited model recognition and focused builders looking for formatting instruments, posing a severe menace to the event neighborhood.
The malicious extension operated as a brandjacking assault, utilizing an almost equivalent title and look to the real Prettier extension to deceive customers into downloading it.
The sort of assault is especially efficient as a result of builders usually belief common extensions they acknowledge.
Checkmarx safety researchers recognized and reported the extension shortly, resulting in its elimination inside 4 hours of publication.
Regardless of the speedy response, the extension managed to build up six downloads and three installations earlier than being taken down from {the marketplace}.
Checkmarx safety analysts recognized that the extension deployed a variant of the Anivia Stealer malware, a credential-stealing instrument designed to reap delicate info from Home windows techniques.
The malware particularly focused login credentials, metadata, and personal communications, together with WhatsApp chats.
This discovery revealed a classy and well-coordinated assault aimed toward compromising developer accounts and stealing helpful authentication knowledge.
Multi-Stage Assault Infrastructure and Evasion Techniques
The malware employed a multi-stage deployment course of designed to evade detection by frequent safety instruments. The primary stage concerned buying payload knowledge as a base64-encoded blob from a GitHub repository, then writing VBScript code to the system’s momentary listing for execution.
The VBS script functioned as a bootstrap mechanism, triggering PowerShell instructions that decrypted the blob utilizing an AES encryption key (AniviaCryptKey2024!32ByteKey!HXX) straight in reminiscence with out writing recordsdata to disk.
This method considerably decreased detectable forensic artifacts, making the assault tougher for endpoint safety techniques to trace.
The ultimate stage employed Reflection.AssemblyLoad to execute the decrypted binary from reminiscence, calling the entry level “Anivia.AniviaCRT” to activate the stealer performance.
This system left minimal proof of an infection, with momentary file presence being the one notable disk exercise. Moreover, the malware carried out superior evasion strategies by detecting sandbox environments, checking for small CPU counts and restricted RAM availability to keep away from triggering in detonation chambers.
The subtle structure demonstrated expert menace actors creating an assault particularly designed to bypass endpoint detection and response options.
Observe us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates, Set CSN as a Most popular Supply in Google.
