Researchers Find VS Code Flaw Allowing Attackers to Republish Deleted Extensions Under Same Names
29.08.2025
14556
A security vulnerability in Visual Studio Code's extension marketplace enables threat actors to reuse names of previously deleted extensions, potentially delivering malware or ransomware.
VS Code Flaw Exposed: Attackers Can Hijack Deleted Extension Names
Researchers just dropped a bombshell: a flaw in Visual Studio Code's extension marketplace lets bad actors republish deleted extensions under the same names. This isn't just a minor bug—it opens the door for ransomware and supply chain attacks, putting millions of devs at risk.
The vulnerability was uncovered by security experts who found that the marketplace doesn't properly handle name reuse after deletions. Attackers can exploit this to upload malicious extensions that appear legitimate, tricking users into installing them.
Key risks include: delivering ransomware payloads, compromising software supply chains, and enabling phishing attacks. This flaw highlights ongoing issues in open-source ecosystems, similar to past incidents with NPM and PyPI.
- • Flaw allows republishing extensions with same names as deleted ones.
- • Potential for malware and ransomware distribution.
- • Increases supply chain attack surface.
- • Affects all VS Code users relying on the extension marketplace.
Microsoft has been notified and is investigating fixes. In the meantime, users are advised to verify extension sources and keep software updated to mitigate risks.
This vulnerability underscores the critical need for robust security measures in developer tools to prevent widespread exploitation.
#VS Code extensions#supply chain attacks#malware#ransomware#CVE vulnerabilities
Got a topic? Write to ATLA WIRE on Telegram:t.me/atla_community
