VS Code extensions contain trojan-laden image

ReversingLabs uncovered a campaign of 19 malicious VS Code extensions (active since February 2025) that weaponized a popular npm dependency (path-is-absolute) and abused bundled dependency folders to conceal a base64-reversed JavaScript dropper and two malicious binaries—one hidden inside a fake PNG archive and executed via cmstp.exe, the other a Rust trojan. The campaign demonstrates supply-chain abuse of pre-packaged extension dependencies to evade detection; ReversingLabs detected the binaries with ML, published IoCs, and reported the extensions to Microsoft, recommending auditing extensions and dependencies and using security tooling to reduce exposure.