The extension, listed as “suspublisher18.susvsex”, included “package.json” that automatically activated on any event, even during installation, while offering command palette utilities to “test command and control” functions. Inside the “extension.js” entrypoint, researchers found hardcoded variables including server URL, encryption keys, C2 destinations, and polling intervals. Most of these variables carried comments indicating the code was generated through AI.
When triggered, the extension initiates compression and encryption of files inside a designated directory, uploading them to a remote command server.
Tucker noted that the target directory was configured for testing, but could easily be swapped for a real filesystem path in a future update or by remote command. The extension contained two decryptors, one in Python and one in Node, along with a hardcoded decryption key, eliminating the possibility of malicious intent.
