Cybersecurity researchers have uncovered two malicious extensions in the Visual Studio Code (VSCode) Marketplace that are designed to deploy ransomware that's under development to its users. The extensions, named "ahban.shiba" and "ahban.cychelloworld," have since been taken down by the marketplace maintainers. Both the extensions, per ReversingLabs, incorporate code that's designed to invoke a PowerShell command, which then grabs a PowerShell-script payload from a command-and-control (C2) server and executes it. The payload is suspected to be ransomware in early-stage development, only encrypting files in a folder called "testShiba" on the victim's Windows desktop. Once the files are encrypted, the PowerShell payload displays a message, stating "Your files have been encrypted. Pay 1 ShibaCoin to ShibaWallet to recover them." However, no other instructions or cryptocurrency wallet addresses are provided to the victims, another indication that the malware is likely under development by the threat actors. The development comes a couple of months after the software supply chain security firm flagged several malicious extensions, some of which masqueraded as Zoom, but harbored functionality to download an unknown second-stage payload from a remote server. Last week, Socket detailed a malicious Maven package impersonating the scribejava-core OAuth library that secretly harvests and exfiltrates OAuth credentials on the fifteenth day of each month, highlighting a time-based…Read More