Lunedi 06 Luglio 2026 13:15:00 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContatti
ItalianoEnglishArabic

Cyber Intelligence & Threat Trends

Brandjacked: How a Fake Code Formatter Nearly Unleashed a Silent Data Heist on Developers

A malicious lookalike extension on the VSCode Marketplace almost delivered a stealthy password-stealing trojan-until sharp-eyed researchers cut it down in hours.

Fast Facts

  • A counterfeit "Prettier" extension appeared on the VSCode Marketplace, targeting developers.
  • The extension secretly deployed Anivia Stealer malware, designed to swipe sensitive data.
  • Security researchers detected and helped remove the extension within 4 hours of its release.
  • Anivia Stealer is sold as Malware-as-a-Service and uses memory-only attacks to avoid detection.
  • Only a handful of users (6 downloads, 3 installs) were affected before the takedown.

A Wolf in Developer’s Clothing

Imagine a trusted locksmith’s shop suddenly replaced by a near-perfect fake, handing out keys that secretly unlock your home for thieves. That’s precisely the danger that unfolded in late November 2025, when a malicious extension masquerading as the popular "Prettier – Code formatter" slipped onto the Visual Studio Code (VSCode) Marketplace.

The fake, dubbed "prettier-vscode-plus" and published under an official-sounding name, was a classic case of brandjacking-a cybercriminal’s sleight of hand that leverages a familiar name to lure victims. The goal? To quietly infect developer computers with a stealthy data thief called Anivia Stealer.

Inside the Attack: Evasion and Exploitation

Security firm Checkmarx Zero was the first to spot the threat, raising the alarm before the extension could spread widely. Working with Microsoft, they pulled the plug in just four hours. But in that brief window, the extension was downloaded six times and installed by three unsuspecting users.

What made this attack so insidious was its technical cunning. Rather than dropping obvious malicious files onto a victim’s computer, the extension ran its payload directly in memory-a magician’s trick that helps it dodge most antivirus tools. It also checked if it was running inside a security “sandbox” (a kind of virtual test cage) and would hide its true intent if it sensed it was being watched.

The ultimate payload, Anivia Stealer, is a piece of malware-for-hire-available for a monthly fee or a one-time payment on underground forums. It’s designed to pilfer everything from browser passwords to private documents and even WhatsApp conversations. Security researchers suggest Anivia is likely a rebrand of the notorious ZeroTrace stealer, showing how cybercrime syndicates recycle and evolve their tools.

The Wider Threat: Developer Tools as a Backdoor

This incident is not an isolated fluke. Over the last few years, attackers have increasingly targeted software supply chains-especially tools that developers trust. In 2022, a similar brandjacking campaign saw fake Python and JavaScript packages on PyPI and npm, each laced with credential-stealing malware. Once inside a developer’s environment, these tools can become a golden ticket to source code, cloud credentials, or even customer data-making them a lucrative target for both cybercriminals and state-backed hackers.

The VSCode Marketplace, with its millions of users, is a tempting hunting ground. While Microsoft and security partners have ramped up monitoring, this episode is a stark reminder: even the most trusted digital storefronts can be compromised, and vigilance remains the last line of defense.

As the dust settles, the fake Prettier extension stands as a warning shot. In a world where the tools of creation can become the weapons of intrusion, developers must treat every download as a potential Trojan horse. The next time you reach for a helpful extension, remember: even the best disguise can hide a thief.

WIKICROOK

  • Brandjacking: Brandjacking occurs when criminals impersonate reputable brands online to trick users into trusting fake sites or malicious software.
  • Malware: Il malware è un software dannoso progettato per infiltrarsi, danneggiare o rubare dati da dispositivi informatici senza il consenso dell’utente.
  • Memory: Memory is a computer’s temporary storage that holds active data and instructions. It’s a frequent target for cyberattacks seeking sensitive information.
  • Sandbox: A sandbox is a secure, isolated environment where experts safely analyze suspicious files or programs without endangering real systems or data.
  • Supply Chain Attack: A supply chain attack is a cyberattack that compromises trusted software or hardware providers, spreading malware or vulnerabilities to many organizations at once.