The ubiquity of developer tools, especially sophisticated Integrated Development Environments (IDEs) like Visual Studio Code (VS Code), makes them prime targets for malicious actors. A recent and concerning incident highlights this vulnerability: a fake Prettier extension on the VS Code Marketplace orchestrated a sophisticated attack, delivering the Anivia Stealer malware to unsuspecting developers. This campaign underscores the critical need for vigilance in our development environments and a deeper understanding of software supply chain security.

The Trojan Horse: “prettier-vscode-plus” and Anivia Stealer

On November 21, 2025, security researchers uncovered a malicious extension named “prettier-vscode-plus” available on the Visual Studio Code Marketplace. This extension was meticulously designed to mimic the legitimate and widely used Prettier code formatter, leveraging brand recognition to deceive developers. The goal was clear: trick thousands of developers into installing what appeared to be a valuable productivity tool, only to unleash a credential-stealing payload.

The threat actor behind this campaign demonstrated a shrewd understanding of developer habits and trust in official marketplaces. By masquerading as a popular tool, “prettier-vscode-plus” bypassed initial scrutiny, exploiting the inherent trust developers place in extensions found on the VS Code Marketplace. Once installed, the extension deployed the Anivia Stealer malware, a potent information stealer designed to exfiltrate sensitive data, particularly login credentials.

Understanding the Anivia Stealer Malware

Anivia Stealer is a formidable threat, categorized as an information-stealing malware. Its primary objective is to silently collect and transmit sensitive data from compromised systems. In the context of this attack, the focus was on developer credentials, which could include:

• Version Control System (VCS) Credentials: GitHub, GitLab, Bitbucket login tokens or passwords, providing access to proprietary codebases.
• Cloud Provider Credentials: AWS, Azure, Google Cloud credentials, potentially leading to widespread infrastructure compromise.
• SSH Keys and API Tokens: Granting unauthorized access to servers and services.
• Browser Saved Passwords: A treasure trove of other online service credentials.
• Sensitive Files: Potentially exfiltrating configuration files or other development-related data.

The exfiltration of these credentials poses an immense risk, potentially leading to unauthorized access, data breaches, intellectual property theft, and further supply chain attacks.

Attack Vector and Modus Operandi

The chosen attack vector – a seemingly benign VS Code extension – is particularly effective due to several factors:

• Developer Trust: Developers frequently install extensions to enhance productivity, often with a level of implicit trust in the marketplace’s vetting process.
• Brand Impersonation: The use of “prettier-vscode-plus” capitalized on the ubiquity of Prettier, making it difficult for an average user to distinguish from the legitimate extension at a glance.
• Privileged Environment: VS Code often runs with the user’s regular permissions, and extensions have access to various system resources and files, making them ideal for malware delivery.

Once the fake extension was installed, the Anivia Stealer likely executed its malicious functions in the background, carefully avoiding detection while harvesting credentials. The sophisticated nature of this attack highlights a growing trend of targeting the developer ecosystem as a gateway to broader organizational compromise.

Remediation Actions for Developers and Organizations

Protecting against such sophisticated threats requires a multi-layered approach. Developers and organizations must adopt robust security practices to mitigate the risks associated with malicious extensions.

• Verify Extension Authenticity: Always confirm the publisher, download count, and reviews for any extension before installation. Be wary of newly published extensions mimicking popular ones. Use the official link to avoid typosquatting.
• Least Privilege Principle: Configure VS Code and its extensions with the minimum necessary permissions. Review extension permissions carefully during installation.
• Regular Security Audits: Organizations should implement automated tools for scanning development environments for suspicious activity and unauthorized changes.
• Endpoint Detection and Response (EDR): Deploy EDR solutions on developer workstations to detect and respond to malicious activities, including unauthorized network connections and file modifications by extensions.
• Multi-Factor Authentication (MFA): Mandate MFA for all critical accounts (VCS, cloud providers, internal systems) to significantly reduce the impact of stolen credentials.
• Developer Security Training: Educate developers on common social engineering tactics, phishing attempts, and the risks associated with installing unverified software.
• Supply Chain Security Tools: Utilize tools that analyze dependencies and extensions for known vulnerabilities or malicious components.

Relevant Tools for Detection and Mitigation

Tool Name	Purpose	Link
VS Code Marketplace	Official source for extensions; use to verify legitimate extensions.	https://marketplace.visualstudio.com/vscode
YARA Rules	Pattern matching for detecting malware families like Anivia Stealer.	https://yara.readthedocs.io/
OWASP Dependency-Check	Identifies known vulnerabilities in project dependencies.	https://owasp.org/www-project-dependency-check/
TruffleHog	Searches for secrets embedded in Git repositories.	https://github.com/trufflesecurity/trufflehog

Conclusion: Strengthening Developer Ecosystem Security

The “prettier-vscode-plus” incident serves as a stark reminder of the persistent threats within the software supply chain, specifically targeting the developer’s workstation. Malicious extensions leveraging brand impersonation are an increasingly sophisticated attack vector, capable of delivering potent malware like Anivia Stealer to exfiltrate critical login credentials. Developers and organizations must prioritize security hygiene by diligently verifying extensions, implementing the principle of least privilege, and employing robust endpoint and supply chain security solutions. Proactive vigilance and a layered defense strategy are paramount to safeguarding intellectual property and organizational integrity against these evolving threats.