Zoonop

AI-Generated Ransomware Found in VS Marketplace With Decryption Tools Included

Image for AI-Generated Ransomware Found in VS Marketplace With Decryption Tools Included

Cybersecurity researcher John Tuckner of Secure Annex has identified what he believes to be AI-generated ransomware within the Visual Studio (VS) Marketplace, notable for its inclusion of decryption tools within the malicious extension itself. This discovery, highlighted by Tuckner on social media on November 5, 2025, raises significant concerns regarding the evolving capabilities of cybercriminals and the security integrity of prominent developer platforms. The incident underscores a new frontier in malware development, despite the ransomware's apparent flaws.

"Clearly created through AI, it makes many mistakes like including decryption tools in extension," Tuckner stated in a social media post, expressing his worry. He questioned the potential impact of more sophisticated AI-driven threats if even flawed versions can penetrate the marketplace. This oversight, while potentially beneficial for victims, points to the early stages of AI's application in generating malicious software.

This incident is not isolated, occurring amidst a series of malicious extension discoveries across both the official VS Code Marketplace and its open-source counterpart, Open VSX. Secure Annex has been at the forefront of reporting these threats, including the recent "SleepyDuck" remote access trojan that utilized Ethereum contracts for command and control. Additionally, several cryptomining extensions, some disguised as popular themes like Pokémon, were previously identified and removed from the marketplaces.

The presence of AI-generated malware, even in its imperfect form, signals a concerning trend where AI can accelerate the creation of evasive and sophisticated threats. Microsoft, which operates the official VS Code Marketplace, has responded to the growing threat landscape by announcing in June that it would implement periodic marketplace-wide scans to safeguard users. However, the continuous emergence of new and potentially AI-driven threats highlights the ongoing challenge of maintaining robust security in dynamic software ecosystems.

The ease with which malicious actors can upload flawed but dangerous extensions, coupled with the manipulation of download counts to boost visibility, remains a critical concern for platform providers and developers alike. This incident serves as a stark warning, necessitating enhanced vigilance and proactive security measures as AI tools become more accessible to threat actors.