Extension pointed to a GitHub-based C2: Ransomvibe deployed a rather unusual GitHub-based command-and-control (C2) infrastructure, instead of relying on traditional C2 servers. The extension used a private GitHub repository to receive and execute commands. It routinely checked for new commits in a file named “index.html”, executed the embedded commands, and then wrote the output back into “requirements.txt” using a GitHub Personal Access Token (PAT) bundled inside the extension.Apart from enabling exfiltration of host data, this C2 behavior exposed the attacker’s own environment, traces of which pointed to a GitHub user in Baku, whose time zone matched the system data logged by the malware itself.Secure Annex calls this a textbook example of AI-assisted malware development, featuring misplaced source files (including decryption tools and the attacker’s C2 code) and a README.md file that explicitly describes its malicious functionality. But Tuckner argues that the real failure lies in Microsoft’s marketplace review system, which failed to flag the extension.Microsoft did not immediately respond to CSO’s request for comments.Recent incidents have shown that malicious or careless extensions are becoming a recurring problem in the Visual Studio Code ecosystemwith some leaking credentials and others quietly stealing code or mining cryptocurrency. Apart from a list of IOCs shared, Secure Annex released the Secure Annex Extension Manager, a tool designed to block known malicious extensions and inventory installed add-ons across an organization.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4086639/vibe-coded-ransomware-proof-of-concept-ended-up-on-microsofts-marketplace.html
