You must log in or # to comment.
Secure Annex has now found that the third wave uses the packages listed below.
VS Marketplace
iconkieftwo.icon-theme-materiall prisma-inc.prisma-studio-assistance prettier-vsc.vsce-prettier flutcode.flutter-extension csvmech.csvrainbow codevsce.codelddb-vscode saoudrizvsce.claude-devsce clangdcode.clangd-vsce cweijamysq.sync-settings-vscode bphpburnsus.iconesvscode klustfix.kluster-code-verify vims-vsce.vscode-vim yamlcode.yaml-vscode-extension solblanco.svetle-vsce vsceue.volar-vscode redmat.vscode-quarkus-pro msjsdreact.react-native-vsceOpen VSX
bphpburn.icons-vscode tailwind-nuxt.tailwindcss-for-react flutcode.flutter-extension yamlcode.yaml-vscode-extension saoudrizvsce.claude-dev saoudrizvsce.claude-devsce vitalik.solidityOnce the packages are accepted on the marketplaces, the publishers push an update that introduces the malicious code, then inflate their download counts to make them appear legitimate and trustworthy.
Also, artificially increasing download counts can manipulate search results, with the malicious extension appearing higher in the results, often very close to the legitimate projects it impersonates.