Weaponizing Extension Packs with PackRAT

March 13, 2026

Weaponizing Extension Packs with PackRAT

Yeeth threat intelligence identified a sophisticated large-scale campaign distributing PackRAT, a downloader that leverages the extensionPack field in package.json as the distribution channel for the final payload. PackRAT demonstrates how threat actors are moving away from embedding malicious code directly into an extension by creating a layer of indirection that bypasses traditional static malware detection tools.

The Initial Downloader

The “distribution” extensions appear completely benign and can be functional. They perform no obviously malicious behavior like decrypting and executing a payload in memory, however, the extensions abuse the VS Code extension pack functionality. When a user installs one of these utility extensions, the IDE “helpfully” drives the installation of a separate, bundled extension pack. This creates a chain of trust where the user’s initial consent for a simple icon pack or JSON tool is inherited by the follow-on malicious components.

This indirection also gives the campaign resilience. If a malicious extension at the end of the funnel gets flagged and removed from the marketplace, the distribution extensions remain untouched. The attacker can simply push an update that points the extensionPack field at a new malicious extension, one that has already passed marketplace filtering. The delivery infrastructure stays intact while the payload rotates freely.

The Malicious Cluster

Through our investigation, we have identified three primary malicious extensions at the end of the PackRAT funnel.

  • federicanc/dotenv-syntax-highlighting
  • blockstoks/easily-gitignore-manage
  • pessa07tm/my-js-ts-auto-commands

The scale of PackRAT is driven by 19 distinct distribution channels. These extensions act as the initial legitimate extension that funnels victims toward the malicious installs. Below are some of the high-traffic distribution extensions identified:

In total, the extensions tied to this cluster account for 95,073 downloads, making it one of the most successful Open VSX abuse campaigns we’ve tracked this year.

Implications & Remediation

Developers should start looking at the relationships defined in package.json. The absence of an immediate payload does not mean the absence of a threat. We recommend reviewing any Open VSX extensions that declare external extensionPack dependencies, particularly when the publisher history is short or inconsistent. Furthermore, Many PackRAT extensions use generic or “pro” sounding names to mimic popular tools. Cross-reference publishers with known GitHub or official entities perform immediate remediation on an extension if it is listed as an IOC in this report.

The dev-guard extension, built and maintained by the Yeeth Security team, adds another layer of protection for VS Code and Cursor AI users. By continuously monitoring new campaigns and pushing live updates, dev-guard helps shut down these threats before they spread across the developer community.

Indicators of Compromise (IOCs)

Downloaded Payload

  • federicanc.dotenv-syntax-highlighting
  • blockstoks.easily-gitignore-manage
  • pessa07tm.my-js-ts-auto-commands

Open VSX Extensions

  • oigotm.my-command-palette-extension
  • mswincx.antigravity-cockpit-extension
  • bhbpbarn.vsce-python-indent-extension
  • awesomeco.wonder-for-vscode-icons
  • codevunmis.csv-sql-tsv-rainbow
  • namopins.prettier-pro-vscode-extension
  • sxatvo.jinja-extension​
  • potstok.dotnet-runtime-extension
  • intellipro.extension-json-intelligence
  • gvotcha.claude-code-extension
  • ssgwysc.volar-vscode
  • awesomeco.wonder-for-vscode-icons
  • tamokill12.foundry-pdf-extension
  • yamaprolas.revature-labs-extension
  • otoboss.autoimport-extension
  • turbobase.sql-turbo-tool
  • codbroks.compile-runnner-extension
  • projmanager.your-project-manager-extension
  • tokcodes.import-cost-extension