A recent campaign involving malicious Visual Studio Code (VS Code) extensions has shed light on a vulnerability in the VS Code Marketplace that allows threat actors to reuse names of previously removed packages. The extensions, known as “shiba,” were used to deliver ransomware through a complex multi-stage attack.
According to researchers at ReversingLabs, one of the malicious extensions, ahbanC.shiba, acted as a simple downloader. Once installed, it executed a command called shiba.aowoo, which retrieved a second payload from a remote server. This payload then encrypted files in a specific test folder and demanded ransom in the form of one Shiba Inu token, an Ethereum-based cryptocurrency. Interestingly, no actual wallet address was provided for payment, mirroring a similar technique used in a previous attack on the Python Package Index (PyPI).
The issue lies in how VS Code handles the removal of extensions from the Marketplace. When a publisher removes an extension, the name of that extension becomes available for reuse by anyone. This loophole allowed attackers to republish malicious code under names associated with previously deleted extensions. ReversingLabs confirmed this flaw by successfully publishing new test extensions under names that were previously used by malicious packages.
The shiba campaign, which spanned from late 2024 to mid-2025, showcased the repeated use of this tactic by different publishers under the same name. While there is no direct link to known ransomware groups, the strategy aligns with the broader criminal interest in utilizing public repositories for malware delivery.
Key takeaways from this incident include the fact that removed extension names can be freely reused, malicious actors can exploit this to impersonate legitimate tools, and developers must exercise caution when adding Marketplace packages. The researchers at ReversingLabs emphasized the increasing popularity of the VS Code Marketplace among malicious actors and the urgent need to address this loophole.
As of now, there is no public indication that Microsoft has taken specific action to address the issue of different publishers being able to reuse extension names once a package is removed. It is essential for users to remain vigilant and stay informed about potential security risks when downloading extensions from the VS Code Marketplace.