'Ransomvibing' Infests Visual Studio Extension Market TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication Security'Ransomvibing' Infests Visual Studio Extension Market'Ransomvibing' Infests Visual Studio Extension MarketbyAlexander CulafiNov 7, 20254 Min ReadCybersecurity OperationsAI Security Agents Get Persona MakeoversAI Security Agents Get Persona MakeoversbyRobert Lemos, Contributing WriterNov 7, 20255 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryApplication SecurityСloud SecurityData PrivacyIdentity & Access Management SecurityNews'Ransomvibing' Infests Visual Studio Extension MarketA published VS Code extension didn't hide the fact that it encrypts and exfiltrates data and also failed to remove obvious signs it was AI-generated.Alexander Culafi, Senior News Writer, Dark ReadingNovember 7, 20254 Min ReadSource: Andreas Prott via Alamy Stock PhotoThe threat actor skill floor may soon lower as vibe coded ransomware has seemingly been published as an extension for Microsoft's AI code editor Visual Studio Code (VS Code).John Tuckner, founder of software extension management provider Secure Annex, published a research blog post Nov. 4 describing what he referred to as "ransomvibing," or vibe-coded ransomware. It was an extension published to Visual Studio Marketplace and, unusually, does not appear to hide the fact that it encrypts and exfiltrates data. The extension, Tuckner wrote, "shows obvious signs of it being vibe coded."Vibe coding, the practice of using natural language to instruct an AI model to generate software code, quickly became a prominent use case for LLMs. Given how prolific AI-generated code is in legitimate organizations, it stands to reason threat actors would follow suit sooner or later. In the broader threat actor ecosystem, threat actors have leveraged AI for malware and phishing email generation, but top-to-bottom vibe-coded ransomware is unusual, if not mostly unheard of. That said, New York University's Tandon School of Engineering recently made an AI ransomware proof-of-concept that was later dubbed "PromptLock" by researchers. Although this malicious extension, published under the name "susvsex," acts as a crude example, it begs the question of how far the concept of "AI-generated ransomware" can be pushed.Related:Sora 2 Makes Videos So Believable, Reality Checks Are RequiredVibe-Coded Ransomware: Conceptually Scary, Crude in PracticeThe susvsex extension's listing on VS Marketplace (now removed) is remarkably blatant, advertising in the description that it "automatically zips, uploads, and encrypts files" to a remote command and control (C2) server. The extension was also published by "suspublisher18," presumably short for "suspicious publisher." The ransomware conducts many of the functions common with ransomware and pure data extortion attacks, Tuckner observed, though the extension had several giveaways that it was most likely AI generated. On a code basis, Tuckner noted the extensive use of comments (a telltale sign of AI code) and certain decisions that would appear nonsensical to a typical ransomware actor. For example, Tuckner noted that "conveniently for potential victims, the extension includes the hardcoded decryption key as well as two different vibe coded decryptors — Python and Node versions." Once files are encrypted, the extension sets up a private C2 channel in the form of a private GitHub repository. "The extension will periodically check the repository for new commits and commands from index.html," Tuckner wrote. "Kindly, there was a lot of effort put in to logging each step of the C2 execution making it easy to follow along (another great sign this malware was crafted using AI)."Related:Multiple ChatGPT Security Bugs Allow Rampant Data TheftAs the malicious extension was published so blatantly, Dark Reading asked Tuckner how he thought it was published in the first place. In an email, he explains it's likely an amateur "playing around" to see if they can get ransomware published on a Microsoft-hosted marketplace. "It does make me worry that this type of behavior might become hobbyist in nature," Tuckner says.Vibe-Coded Ransomware: Takeaways and Marketplace WoesThis example of vibe-coded ransomware was so rough, and the concept so nascent, that it's not so easy to offer guidance or countermeasures that don't reflect typical security best practices. If there is one takeaway, it may be one Tuckner raises in email as well as the research: How was an extension this blatantly malicious published to the VS Code marketplace?"I'm incredibly worried about the amount of care Microsoft puts into the Visual Studio Marketplace moderation. This was a brazen piece of malware which should have been caught by any number of checks," Tuckner says. "I reported it through two channels, the 'Report a concern' email listed on the marketplace page and through [Microsoft Security Response Center]. The MSRC submission was determined out of scope and closed. The Marketplace Support requested more information before following up later with a removal notice."Related:APT 'Bronze Butler' Exploits Zero-Day to Root Japan OrgsTuckner adds that he's most worried about the advent of more sophisticated ransomware, possibly supported by AI, which will make "its way into a trusted Microsoft distribution channel and be able to make an impact with as little as one click or through an auto update of an extension.""We appreciate Secure Annex for responsibly reporting this issue," a Microsoft spokesperson tells Dark Reading. "We investigated and have removed the extension." The spokesperson adds that every extension page includes a "Report abuse" link, that Microsoft investigates all reports of abuse, and that Marketplace can be fully blocked at the firewall level if desired."When a malicious extension is reported and verified, or a vulnerability is found in an extension dependency," the spokesperson adds, "the extension is removed from the Marketplace, added to a block list, and automatically uninstalled by VS Code."About the AuthorAlexander CulafiSenior News Writer, Dark ReadingAlex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels.See more from Alexander CulafiMore InsightsIndustry Reports2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025Access More ResearchWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeEditor's ChoiceCybersecurity OperationsElectronic Warfare Puts Commercial GPS Users on NoticeElectronic Warfare Puts Commercial GPS Users on NoticebyRobert Lemos, Contributing WriterOct 21, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeNov 13, 2025During this event, we'll examine the most prolific threat actors in cybercrime and cyber espionage, and how they target and infiltrate their victims.Secure Your SeatWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterTues, Nov 18, 2025 at 1pm ESTSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersPKI Modernization WhitepaperEDR v XDR v MDR- The Cybersecurity ABCs ExplainedHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The proliferation of “ransomvibing” – AI-generated ransomware – represents a concerning and nascent evolution in the cybersecurity landscape, as highlighted by Alexander Culafi’s reporting for Dark Reading. This incident, involving a Visual Studio Code (VS Code) extension that encrypts and exfiltrates data, underscores the potential for lower-skill threat actors to leverage artificial intelligence for malicious purposes. The core of the issue centers on the publication of a relatively blatant extension, “susvsex,” which exhibits several telltale signs of AI generation, including extensive commenting and nonsensical decisions within the code. This extension employed a vibe-coded approach, utilizing natural language prompts to generate the core functionality of the ransomware.

The emergence of “ransomvibing” reflects a broader trend – the increased utilization of Large Language Models (LLMs) by cybercriminals. The NYU Tandon School of Engineering’s PromptLock ransomware proof-of-concept, while crude, served as a foundational demonstration of this potential. The vulnerability stems from the ease with which AI can be prompted to create software, and the fact that a significant amount of code is already generated with AI assistance in legitimate organizations. This has given cybercriminals a significant advantage. The case of “susvsex” is particularly alarming because it highlights the risk of these tools falling into the hands of less sophisticated threat actors. The extension’s actions—zipping, uploading, and encrypting files— are relatively standard for ransomware, although the AI-generated nature of the code provided additional concerns.

The “susvsex” extension's distinctive characteristics, such as the hardcoded decryption key and multiple vibe-coded decryptors, further amplified the risk. The strategic deployment of a private GitHub repository to facilitate communication, coupled with persistent monitoring of the repository for new commands, showcases an unusual and potentially sophisticated tactic. The “Index.html” check, designed to collect commands, stands as another red flag indicative of AI-generated code, making it easier for those unfamiliar with technical processes to follow the malicious C2 execution. The extension’s deliberate design, including logging each step, deliberately provided a “guided tour” for potential victims, providing insight, and amplifying its impact.

The incident exposes vulnerabilities within trusted software distribution channels, particularly the Visual Studio Marketplace. The fact that such a blatantly malicious extension was published presents a serious concern about the level of vetting processes employed by Microsoft and its partners. The relatively quick response, involving reporting through multiple channels—the ‘Report a concern’ email and submissions to the Microsoft Security Response Center—highlights the importance of swift action. The removal of the extension, coupled with a block list, demonstrates a proactive defense mechanism. However, the delayed response, and the initial determination by the MSRC that the submission was “out of scope,” raises questions about the prioritization of security reviews within Microsoft's ecosystem.

The response from Microsoft acknowledges the error, committing to investigating reports of abuse, removing malicious extensions, and adding them to block lists. However, the incident underscores the importance of constant vigilance and a robust moderation strategy. It also highlights the need for threat actors to adapt their tactics to evade detection, particularly as AI-powered defenses become more prevalent. Moving forward, a focus on ongoing monitoring and rapid response capabilities will be critical to mitigating the risks posed by AI-generated cyber threats. Furthermore, the situation reinforces the need for a heightened awareness among developers and users of VS Code, and promotes responsible software development practices to reduce the surface area for attacks.