Cybersecurity researchers have uncovered a loophole in the Visual Studio Code Marketplace that enables threat actors to reuse names of extensions once they are removed. The discovery was made by ReversingLabs after spotting a malicious extension named ahbanC.shiba, which mimicked the behavior of two previously flagged extensions (ahban.shiba and ahban.cychelloworld). All three acted as downloaders that retrieved a PowerShell payload designed to encrypt files in a victim’s Windows desktop folder and demand ransom in Shiba Inu cryptocurrency.
The suspiciously similar naming convention raised concerns, prompting a deeper investigation. Normally, extensions require unique IDs composed of the publisher and extension name. However, ReversingLabs found that once an extension is deleted, its name becomes available again for reuse—contradicting official documentation that states names must remain unique. This loophole allows attackers to republish malicious extensions under names that may appear familiar or trusted to users.
This practice is not unique to Microsoft’s ecosystem. ReversingLabs noted a similar weakness in the Python Package Index (PyPI), where deleted package names become available for reuse unless specifically flagged as malicious. Unlike PyPI, however, the VS Code Marketplace currently does not enforce restrictions to block the reuse of previously abused names, leaving the door open for attackers to exploit developer trust.
The findings align with broader trends in software supply chain attacks, where malicious actors poison open-source ecosystems with trojanized packages or extensions. Recent examples include the discovery of eight malicious npm packages published under fake developer accounts. These packages were designed to deliver an information stealer targeting Google Chrome, capable of exfiltrating passwords, credit card data, cryptocurrency wallets, and browser cookies. Researchers found the malicious code was heavily obfuscated, employing 70 layers of packing to conceal its true intent.
Such attacks illustrate the growing sophistication of adversaries targeting developer tools and open-source repositories. By exploiting naming conventions and user trust, attackers can masquerade as legitimate projects, increasing the chances that unsuspecting users will install malware. Leaked cybercrime communications, including Black Basta ransomware group chat logs, show that ransomware operators are actively considering these tactics to expand their reach.
Security experts emphasize that organizations and developers must adopt rigorous supply chain security practices. Automated scanning, dependency monitoring, and single sources of truth for software components are increasingly essential. Without visibility across the ecosystem, attackers can exploit even small loopholes—like the reuse of deleted extension names—to infiltrate development environments.
The exposure of this loophole underscores a critical blind spot in the security of widely used developer marketplaces. Until restrictions are enforced to prevent name recycling, both enterprises and individual developers should remain vigilant, ensuring they verify the source and integrity of extensions before installation.
