Malicious Visual Studio Code Extensions Hide Trojan in Fake PNG Files

VS Code developers beware: ReversingLabs found 19 malicious extensions hiding trojans inside a popular dependency, disguising the final malware payload as a standard PNG image file.

Cybersecurity firm ReversingLabs (RL) has detected a sophisticated, long-running campaign targeting developers on the Visual Studio Code (VS Code) Marketplace. In total, 19 malicious extensions were found hiding a Trojan, with the campaign active since February 2025 and discovered on December 2.

For your information, VS Code is a key tool for many developers, making its Marketplace, where extensions (add-on features) are distributed, a prime target for cybercriminals. These findings came just a couple of weeks after a fake “Prettier” extension on the same marketplace was spotted dropping Anivia Stealer.

The Dependency Trick

According to RL Threat Researcher Petar Kirhmajer, the attackers used a classic Trojan technique where malicious software is disguised as something harmless. In this case, the malware was hidden inside an ...