Sophisticated Supply-Chain Attack Targets VSCode Ecosystem

In late November 2025, a sophisticated supply-chain attack leveraging the Visual Studio Code extension ecosystem was discovered. A malicious extension masquerading as the popular Prettier code formatter briefly appeared on the official VSCode Marketplace, compromising at least three systems. The attack involved a multi-stage malware chain, including the Anivia loader and OctoRAT, a remote access toolkit with over 70 command modules. The threat actor used a GitHub repository named 'vscode' to host obfuscated VBScript payloads, employing payload rotation techniques to evade detection. The attack highlights the evolving threat landscape targeting developer ecosystems, emphasizing the need for strict extension management policies and enhanced endpoint detection capabilities.