A new Visual Studio Code extension, identified as **suspublisher18.susvsex**, has raised alarms due to its ransomware-like behavior. The extension's `package.json` manifest indicates it activates on various events, including installation. Inside its code, hardcoded variables reveal a server URL, encryption keys, and command-and-control (C2) destinations, suggesting it was not directly authored by a human but likely generated using AI. When launched, it runs a function that begins encrypting files in a specified directory, only skipping this process if a marker file (`pwn_note.txt`) is present. If encryption needs to be restarted, the extension provides instructions in its `README.md`. After encrypting files, the extension establishes a C2 channel using a private GitHub repository. It periodically checks this repo for new commands, logging each step of the process in a way that makes the malware's actions easy to track. The extension also uploads a .zip file of the encrypted data to the attacker's server. A GitHub Personal Access Token (PAT) facilitates this communication, and the analysis suggests the extension's developer may be closely linked to the GitHub repository owner, based on the system's registered user information. Despite the obvious flaws in its design, the presence of such malware raises serious questions about the review process for extensions in the Visual Studio Marketplace. The article emphasizes that organizations need to be proactive in their security measures, as this particular extension demonstrates how easily malicious code can slip through. Secure Annex has responded by releasing the **Secure Annex Extension Manager**, which helps organizations monitor and protect against known malicious extensions. Their immediate detection of this threat shows the importance of vigilance in the face of evolving cyber risks.