top of page
perceptive_background_267k.jpg

Malicious VSCode Marketplace extensions hid trojan in fake PNG file

Published:

11 December 2025 at 20:54:21

Alert date:

11 December 2025 at 21:05:27

Source:

bleepingcomputer.com

Click to open the original link from this advisory

A stealthy campaign targeting developers through 19 malicious extensions on the VSCode Marketplace has been active since February 2024. The malware was hidden inside dependency folders using fake PNG files to evade detection. This supply chain attack specifically targeted the developer community through the official VSCode extension marketplace, demonstrating sophisticated techniques to bypass security measures and compromise development environments.

Technical details

OpenPLC_V3 is vulnerable to a cross-site request forgery (CSRF) attack due to the absence of proper CSRF validation. This issue allows an unauthenticated attacker to trick a logged-in administrator into visiting a maliciously crafted link, potentially enabling unauthorized modification of PLC settings or the upload of malicious programs which could lead to significant disruption or damage to connected systems. The vulnerability is exploitable remotely with high attack complexity. CVSS v3 base score of 8.0 and CVSS v4 base score of 7.0.

Mitigation steps:

Update OpenPLC_V3 to pull request #310 or later from the main GitHub repository. Minimize network exposure for all control system devices ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods such as Virtual Private Networks (VPNs). Perform proper impact analysis and risk assessment prior to deploying defensive measures. Implement recommended cybersecurity strategies for proactive defense of ICS assets. Report suspected malicious activity to CISA.

Affected products:

OpenPLC_V3: Versions prior to pull request #310

Related links:

https://github.com/cisagov/CSAF
https://cwe.mitre.org/data/definitions/352.html
https://www.cve.org/CVERecord?id=CVE-2025-13970
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:H
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:H
https://github.com/thiagoralves/OpenPLC_v3
https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.cisa.gov/topics/industrial-control-systems
https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf
https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page