Search results for microsoft vscode extensions | Breaking Cybersecurity News | The Hacker News

The supply chain campaign known as GlassWorm has once again reared its head, infiltrating both Microsoft Visual Studio Marketplace and Open VSX with 24 extensions impersonating popular developer tools and frameworks like Flutter, React, Tailwind, Vim, and Vue. GlassWorm was first documented in October 2025, detailing its use of the Solana blockchain for command-and-control (C2) and harvest npm, Open VSX, GitHub, and Git credentials, drain cryptocurrency assets from dozens of wallets, and turn developer machines into attacker-controlled nodes for other criminal activities. The most crucial aspect of the campaign is the abuse of the stolen credentials to compromise additional packages and extensions, thereby spreading the malware like a worm. Despite continued efforts of Microsoft and Open VSX, the malware resurfaced a second time last month, and the attackers were observed targeting GitHub repositories. The latest wave of the GlassWorm campaign, spotted by Secure Annex's Jo...

Popular artificial intelligence (AI)-powered Microsoft Visual Studio Code (VS Code) forks such as Cursor, Windsurf, Google Antigravity, and Trae have been found to recommend extensions that are non-existent in the Open VSX registry, potentially opening the door to supply chain risks when bad actors publish malicious packages under those names. The problem, according to Koi , is that these integrated development environments (IDEs) inherit the list of officially recommended extensions from Microsoft's extensions marketplace. These extensions don't exist in Open VSX. The VS Code extension recommendations can take two different forms: file-based, which are displayed as toast notifications when users open a file in specific formats, or software-based, which are suggested when certain programs are already installed on the host. "The problem: these recommended extensions didn't exist on Open VSX," Koi security researcher Oren Yomtov said. "The namespaces were u...

Threat actors have been observed uploading malicious typosquats of legitimate npm packages such as typescript-eslint and @types/node that have racked up thousands of downloads on the package registry. The counterfeit versions, named @typescript_eslinter/eslint and types-node , are engineered to download a trojan and retrieve second-stage payloads, respectively. "While typosquatting attacks are hardly new, the effort spent by nefarious actors on these two libraries to pass them off as legitimate is noteworthy," Sonatype's Ax Sharma said in an analysis published Wednesday. "Furthermore, the high download counts for packages like "types-node" are signs that point to both some developers possibly falling for these typosquats, and threat actors artificially inflating these counts to boost the trustworthiness of their malicious components." The npm listing for @typescript_eslinter/eslint, Sonatype's analysis revealed, points to a phony GitHub repo...

Cybersecurity researchers have discovered a self-propagating worm that spreads via Visual Studio Code (VS Code) extensions on the Open VSX Registry and the Microsoft Extension Marketplace, underscoring how developers have become a prime target for attacks. The sophisticated threat, codenamed GlassWorm by Koi Security, is the second such supply chain attack to hit the DevOps space within a span of a month after the Shai-Hulud worm that targeted the npm ecosystem in mid-September 2025. What makes the attack stand out is the use of the Solana blockchain for command-and-control (C2), making the infrastructure resilient to takedown efforts. It also uses Google Calendar as a C2 fallback mechanism. Another novel aspect is that the GlassWorm campaign relies on "invisible Unicode characters that make malicious code literally disappear from code editors," Idan Dardikman said in a technical report. "The attacker used Unicode variation selectors – special characters that are...

This week, a 23-year-old Serbian activist found themselves at the crossroads of digital danger when a sneaky zero-day exploit turned their Android device into a target. Meanwhile, Microsoft pulled back the curtain on a scheme where cybercriminals used AI tools for harmful pranks, and a massive trove of live secrets was discovered, reminding us that even the tools we rely on can hide risky surprises. We've sifted through a storm of cyber threats—from phishing scams to malware attacks—and broken down what it means for you in clear, everyday language. Get ready to dive into the details, understand the risks, and learn how to protect yourself in an increasingly unpredictable online world. ⚡ Threat of the Week Serbian Youth Activist Targeted by Android 0-Day Exploit Chain — A 23-year-old Serbian youth activist had their Android phone targeted by a zero-day exploit chain developed by Cellebrite to unlock the device and likely deploy an Android spyware called NoviSpy. The flaws combined ...

Severe security flaws uncovered in popular Visual Studio Code extensions could enable attackers to compromise local machines as well as build and deployment systems through a developer's integrated development environment (IDE). The vulnerable extensions could be exploited to run arbitrary code on a developer's system remotely, in what could ultimately pave the way for supply chain attacks. Some of the extensions in question are "LaTeX Workshop," "Rainbow Fart," "Open in Default Browser," and "Instant Markdown," all of which have cumulatively racked up about two million installations between them. "Developer machines usually hold significant credentials, allowing them (directly or indirectly) to interact with many parts of the product," researchers from open-source security platform Snyk  said  in a deep-dive published on May 26. "Leaking a developer's private key can allow a malicious stakeholder to clone important...

Threat actors are continuing to upload malicious packages to the npm registry so as to tamper with already-installed local versions of legitimate libraries and execute malicious code in what's seen as a sneakier attempt to stage a software supply chain attack. The newly discovered package, named pdf-to-office , masquerades as a utility for converting PDF files to Microsoft Word documents. But, in reality, it harbors features to inject malicious code into cryptocurrency wallet software associated with Atomic Wallet and Exodus. "Effectively, a victim who tried to send crypto funds to another crypto wallet would have the intended wallet destination address swapped out for one belonging to the malicious actor," ReversingLabs researcher Lucija Valentić said in a report shared with The Hacker News. The npm package in question was first published on March 24, 2025, and has received three updates since then but not before the previous versions were likely removed by the a...

This week saw a lot of new cyber trouble. Hackers hit Fortinet and Chrome with new 0-day bugs. They also broke into supply chains and SaaS tools. Many hid inside trusted apps, browser alerts, and software updates. Big firms like Microsoft, Salesforce, and Google had to react fast — stopping DDoS attacks, blocking bad links, and fixing live flaws. Reports also showed how fast fake news, AI risks, and attacks on developers are growing. Here's what mattered most in security this week. ⚡ Threat of the Week Fortinet Warns of Another Silently Patched and Actively Exploited FortiWeb Flaw — Fortinet has warned that a new security flaw in FortiWeb has been exploited in the wild. The medium-severity vulnerability, tracked as CVE-2025-58034, carries a CVSS score of 6.7 out of a maximum of 10.0. It has been addressed in version 8.0.2. "An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiWeb may allow an a...

Everything feels secure—until one small thing slips through. Even strong systems can break if a simple check is missed or a trusted tool is misused. Most threats don't start with alarms—they sneak in through the little things we overlook. A tiny bug, a reused password, a quiet connection—that's all it takes. Staying safe isn't just about reacting fast. It's about catching these early signs before they blow up into real problems. That's why this week's updates matter. From stealthy tactics to unexpected entry points, the stories ahead reveal how quickly risk can spread—and what smart teams are doing to stay ahead. Dive in. ⚡ Threat of the Week U.S. Disrupts N. Korea IT Worker Scheme — Prosecutors said they uncovered the North Korean IT staff working at over 100 U.S. companies using fictitious or stolen identities and not only drawing salaries, but also stealing secret data and plundering virtual currency more than $900,000 in one incident targeting an unnamed blockchain company in ...

A security weakness has been disclosed in the artificial intelligence (AI)-powered code editor Cursor that could trigger code execution when a maliciously crafted repository is opened using the program. The issue stems from the fact that an out-of-the-box security setting is disabled by default, opening the door for attackers to run arbitrary code on users' computers with their privileges. "Cursor ships with Workspace Trust disabled by default, so VS Code-style tasks configured with runOptions.runOn: 'folderOpen' auto-execute the moment a developer browses a project," Oasis Security said in an analysis. "A malicious .vscode/tasks.json turns a casual 'open folder' into silent code execution in the user's context." Cursor is an AI-powered fork of Visual Studio Code, which supports a feature called Workspace Trust to allow developers to safely browse and edit code regardless of where it came from or who wrote it. With this option disab...