The most recent wave additionally mimics extensively used developer instruments to maximise set up probabilities. βThe extensions overwhelmingly impersonate extensively put in developer utilities: linters and formatters like ESLint and Prettier, code runners, well-liked language tooling for Angular, Flutter, Python, and Vue, and customary quality-of-life extensions like vscode-icons, WakaTime, and Higher Feedback,β the researchers stated. βNotably, the marketing campaign additionally targets AI developer tooling, with extensions focusing on Claude Code, Codex, and Antigravity.β
The researchers added that as of March 13, Open VSX has eliminated the vast majority of the transitively malicious extensions, but just a few stay dwell, indicating ongoing takedowns.
Socket revealed indicators of compromise (IOCs) tied to the marketing campaign, together with the names of dozens of malicious Open VSX extensions and related writer accounts believed to be linked to the operation. Moreover, the researchers advocate treating extension dependencies with the identical scrutiny sometimes utilized to software program packages. Organizations ought to monitor extension updates, audit dependency relationships, and prohibit set up to trusted publishers the place doable, as attackers more and more exploit the developer tooling ecosystem as a supply-chain entry level.
