“This multi-account strategy provides redundancy when one account gets flagged, creates the illusion of independent developers, and demonstrates professional-level social engineering: GitHub repositories for credibility, consistent branding across extensions, detailed feature lists, professional marketplace presentations, and strategic naming that mimics legitimate tools (cppformat, pythonformat, httpformat),” the researchers said.
The analysis traced the malicious GitHub accounts back to a Facebook profile under the name “Zubaer Ahmed,” pointing to a likely operational slip that exposed the attacker’s real identity. The profile has since been taken down.
For developers and organizations relying heavily on VSCode or OpenVSX, the extensions could compromise not just a codebase but entire build environments or deployment pipelines, Sood noted. Compromised extensions can silently exfiltrate or tamper with source code that later moves into production, effectively turning VSCode into a vector for software supply-chain attacks. In collaborative environments, a single infected deployment could compromise shared repositories or inject backdoors into dependencies.
