Security researchers recently thwarted a significant threat to users of the Visual Studio Code Marketplace. A fake extension masquerading as Prettier – Code formatter was identified by Checkmarx Zero. This malicious software, named prettier-vscode-plus, was uploaded under the publisher account publishingsofficial on November 21, 2025. Thanks to swift collaboration with Microsoft and VSCode's security team, the extension was removed within four hours of its appearance. During that short window, only six downloads and three installations occurred, minimizing potential damage. The threat was more serious than it appeared. The extension was designed to load a variant of Anivia Stealer malware, which targets sensitive information on Windows computers. Anivia Stealer, marketed as Malware-as-a-Service, can be accessed for €120 a month or €680 for lifetime access. Researchers suspect it’s a rebranded version of another malware known as ZeroTrace. The attack employed evasive techniques, running malicious code directly from memory rather than writing it to disk, making it harder for security software to detect. It also included checks to determine if it was operating in a security testing environment, further obscuring its intentions. This incident highlights the growing trend of cybercriminals targeting development tools to gain access to sensitive information. Extensions that look legitimate can be used to steal credentials and access company secrets. Although this particular threat was contained, it serves as a reminder for developers to exercise caution when downloading tools, especially those from unofficial sources.