The newest wave additionally mimics broadly used developer instruments to maximise set up probabilities. “The extensions overwhelmingly impersonate broadly put in developer utilities: linters and formatters like ESLint and Prettier, code runners, well-liked language tooling for Angular, Flutter, Python, and Vue, and customary quality-of-life extensions like vscode-icons, WakaTime, and Higher Feedback,” the researchers mentioned. “Notably, the marketing campaign additionally targets AI developer tooling, with extensions focusing on Claude Code, Codex, and Antigravity.”
The researchers added that as of March 13, Open VSX has eliminated the vast majority of the transitively malicious extensions, but a couple of stay reside, indicating ongoing takedowns.
Socket revealed indicators of compromise (IOCs) tied to the marketing campaign, together with the names of dozens of malicious Open VSX extensions and related writer accounts believed to be linked to the operation. Moreover, the researchers suggest treating extension dependencies with the identical scrutiny sometimes utilized to software program packages. Organizations ought to monitor extension updates, audit dependency relationships, and prohibit set up to trusted publishers the place doable, as attackers more and more exploit the developer tooling ecosystem as a supply-chain entry level.