Malicious AI ‘Slop’ Appears on Official Marketplace

A malicious extension for Visual Studio Code, featuring basic ransomware capabilities, was recently published on Microsoft’s official marketplace. Discovered by security researcher John Tuckner, the extension named ‘susvsex’ was notable for openly advertising its harmful functions in its own description, including file theft and encryption.

Tuckner described the code as unsophisticated “vibe coding” and labeled it “AI slop,” pointing to comments within the code that strongly suggest it was generated by an artificial intelligence tool rather than a human developer. The extension was designed to activate upon installation or when VS Code launched, at which point it would compress files in a target directory, exfiltrate them to a hardcoded remote server, and then encrypt the original files using AES-256-CBC.

Vetting Process and Microsoft’s Response

Despite the extension’s explicit description of its malicious intent, a report filed by the researcher was initially ignored by Microsoft, and the extension remained available for download. The overt nature of the threat suggests it may have been an experiment designed to test the limits and effectiveness of Microsoft’s vetting process for its marketplace.

The researcher was able to use a hardcoded token in the extension’s code to trace its command-and-control repository back to an owner likely based in Azerbaijan. The extension was eventually removed from the VS Code registry after BleepingComputer contacted Microsoft for comment, highlighting ongoing challenges in securing software supply chains from AI-assisted threats.

Source: https://www.bleepingcomputer.com/news/security/ai-slop-ransomware-test-sneaks-on-to-vs-code-marketplace/