LimaCharlie released their Agentic SecOps Workspace recently which basically lets you run Claude Code in their UI which includes MCP servers. It's never been so easy to say something like 'look at my detections and research the extensions seen'. Even though 1Password falls under an unapproved password manager policy, at least it isn't malicious!
If you've had to listen to me over the last couple months, it's likely you would've hear me say that all of our most important apps will have extensions or plugins for integration. Think we're learning from past mistakes?
Pyrefly - Python Language Tooling by Meta is the 4th most used extension in Open VSX. Be careful downloading the 'Pro' version in Cursor hoping you'll get some extra features, it is published by 'casendsabotnu954' who just joined GitHub the other day. Textbook cloning and staging behavior!
Loving a new detection that identifies code extensions published by new and lightly used GitHub accounts.This time it instantly caught an extension impersonating JFrog which already has over 10k downloads.
Not the "pulling a Rabbit out of a hat" magic trick that most want. This Firefox extension completely changes from a "Simple Label Editor" to a Rabby wallet stealer overnight.
These code comments are an improvement from:
Request malwareDownload malwareMake malware executableRun malwareThis is the extent of the extension available in the VS Marketplace. Installs a Mythic agent from the C2.
Monitoring a large influx of AI slop extensions that are reposting a marginally refactored but known malicious package. The marketplace listings are packed with emojis and a couple sections of 'features'. This one made the mistake of linking to an already known piece of malware. If any are not immediately malicious, they will soon update with exploit code.
Welcome to Antigravity the newest most advanced agentic AI development tool by Google...
... uses Open VSX for extensions and shows malicious listings to users.
Changing how an extension looks in a marketplace doesn't require new code to be pushed. Check out the magic when this "Test Extension" magically turns into a "solidity" extension after being published. Review the full lineage of a marketplace listing using the new date picker in Secure Annex.
Vibed coded malicious extensions are getting out of hand!
This 'theme' downloads a malicious zip, unpacks it, and runs it silently with PowerShell.
