Headline
Fake Prettier Extension on VSCode Marketplace Dropped Anivia Stealer
Cybersecurity firm Checkmarx Zero, in collaboration with Microsoft, removed a malicious ‘prettier-vscode-plus’ extension from the VSCode Marketplace. The fake coding tool was a Brandjacking attempt designed to deploy Anivia Stealer malware and steal Windows user credentials and data.
A swift response from security researchers recently stopped a harmful software attack targeting the popular Visual Studio Code (VSCode) Marketplace. A malicious extension, designed to look like Prettier – Code formatter, a legitimate and well-known coding tool, was quickly found and removed, stopping a potentially widespread security incident before it could cause damage.
****Quick Action Prevents Major Threat****
The security firm Checkmarx Zero identified the fake extension, named prettier-vscode-plus, which was posted under the publisher account publishingsofficial. This is an example of a Brandjacking attack, which occurs when a malicious party tries to use the good name of a trusted brand to trick people into downloading a dangerous alternative.
In this specific case, the extension exploited the famous Prettier brand name and was released on November 21, 2025, at 11:34:12 UTC. However, after collaborating with Microsoft and the VSCode Marketplace security group, the fake tool was taken down.
“We identified and reported this extension quickly, and it was removed within 4 hours after its publication,” a report shared with Hackread.com later stated. Because of this fast action, only a very small number of users were affected; the team found 6 downloads and 3 installs before the removal.
****A Hidden Danger****
Checkmarx Zero’s investigation revealed a multi-step attack designed to hide its true purpose. Instead of being a harmless coding tool, the extension was built to secretly load and run a variant of the Anivia Stealer, a malware designed to steal sensitive information from Windows computers, including passwords, private data, and even WhatsApp chats.
According to ThreatMon, an end-to-end intelligence platform, Anivia is being sold as Malware-as-a-Service for €120 per month or €680 for lifetime access. Researchers believe Anivia Stealer is likely a rebranded version of the earlier stealer known as ZeroTrace.
On the other hand, Checkmarx’s researchers noted that this attack was particularly clever. To prevent detection by common security software, it avoided writing the main malicious program directly onto the computer’s disk, instead running it from the machine’s memory. That’s a highly evasive technique.
Moreover, researchers also found that the malicious code was programmed to detect if it was running inside a security test environment (a sandbox) by checking for things like a very small amount of memory or a low CPU count, helping it hide its true purpose.
As we know it, extensions that attack tools used by developers are becoming a common way for cybercriminals to get access to company secrets and source code by stealing credentials. Checkmarx concludes that while this particular threat was stopped in its tracks, developers need to be careful when downloading tools, especially if they are from outside the official marketplace.