Dropping Malware through Dependencies in VS Code: Inside the jsononifier npm Dropper The Windows Installer Dropper Family: VS Code Extensions Living off the Land The Fake MSDN DLL Dropper and the Counterfeit C++ Runtime DigitalBarberTrim's Side-Car Loader: A VSIX Installer That Pivots Across VS Code Forks The Solidity Extension That Stole from the Clipboard: Inside the ethdevtools Crypto Swap The Scanner Is the Target: How IDE Extension Malware Uses Prompt Injection to Evade AI Review The Builder Kit Behind ShopifySTORES and State Diagram: A VSIX Dropper Campaign GLASSWORM.WASM: Deconstructing the TinyGo WebAssembly Loader Hitting Open VSX Inside the DPRK-Linked Backdoor Loitering in the VS Code Marketplace A Deeper Look at GLASSWORM's Solana Variant Recognized in the Open VSX Security Hall of Fame The CISO's Guide to IDE Security in 2026 The Malware Factory: GLASSWORM Forensics in Open VSX Weaponizing Empty Github Repositories with Releases The Ghost in the Marketplace Weaponizing Extension Packs with PackRAT Yeeth - 2025 Year in Review Secret Scanning with Aho-Corasick A Deeper Look at RustImplant SleepyDuck Evolution WhiteCobra Beginnings Dropping Malware through Dependencies in VS Code: Inside the jsononifier npm Dropper The Windows Installer Dropper Family: VS Code Extensions Living off the Land The Fake MSDN DLL Dropper and the Counterfeit C++ Runtime DigitalBarberTrim's Side-Car Loader: A VSIX Installer That Pivots Across VS Code Forks The Solidity Extension That Stole from the Clipboard: Inside the ethdevtools Crypto Swap The Scanner Is the Target: How IDE Extension Malware Uses Prompt Injection to Evade AI Review The Builder Kit Behind ShopifySTORES and State Diagram: A VSIX Dropper Campaign GLASSWORM.WASM: Deconstructing the TinyGo WebAssembly Loader Hitting Open VSX Inside the DPRK-Linked Backdoor Loitering in the VS Code Marketplace A Deeper Look at GLASSWORM's Solana Variant Recognized in the Open VSX Security Hall of Fame The CISO's Guide to IDE Security in 2026 The Malware Factory: GLASSWORM Forensics in Open VSX Weaponizing Empty Github Repositories with Releases The Ghost in the Marketplace Weaponizing Extension Packs with PackRAT Yeeth - 2025 Year in Review Secret Scanning with Aho-Corasick A Deeper Look at RustImplant SleepyDuck Evolution WhiteCobra Beginnings
Latest Briefing

All Briefings

The Windows Installer Dropper Family: VS Code Extensions Living off the Land Threat Intel
Jul 2, 2026

The Windows Installer Dropper Family: VS Code Extensions Living off the Land

In late June Argus caught a cluster of VS Code: droppers that all abused Windows installer primitives — curl|bash, irm|iex, cscript, msht...

Read Briefing
The Fake MSDN DLL Dropper and the Counterfeit C++ Runtime Malware Analysis
Jul 2, 2026

The Fake MSDN DLL Dropper and the Counterfeit C++ Runtime

The worldline.aicodefix campaign downloads a counterfeit VCRUNTIME140.dll from a fake Microsoft domain, plants it inside a spoofed Edge u...

Read Briefing
DigitalBarberTrim's Side-Car Loader: A VSIX Installer That Pivots Across VS Code Forks Malware Analysis
Jul 2, 2026

DigitalBarberTrim's Side-Car Loader: A VSIX Installer That Pivots Across VS Code Forks

The DigitalBarberTrim.html-entity-codec campaign version-cycled through clean, malicious, and stub releases. The payload was a hidden i.j...

Read Briefing
The Solidity Extension That Stole from the Clipboard: Inside the ethdevtools Crypto Swap Threat Intel
Jun 21, 2026

The Solidity Extension That Stole from the Clipboard: Inside the ethdevtools Crypto Swap

A fake Solidity language extension hid in VS Code: for weeks before activating. Once it did, it scraped the clipboard for crypto seeds an...

Read Briefing
The Scanner Is the Target: How IDE Extension Malware Uses Prompt Injection to Evade AI Review Threat Research
Jun 18, 2026

The Scanner Is the Target: How IDE Extension Malware Uses Prompt Injection to Evade AI Review

Malicious VS Code and Open VSX extensions are now embedding fake system instructions and context floods aimed directly at the AI-powered ...

Read Briefing
The Builder Kit Behind ShopifySTORES and State Diagram: A VSIX Dropper Campaign Malware Analysis
Jun 18, 2026

The Builder Kit Behind ShopifySTORES and State Diagram: A VSIX Dropper Campaign

A retro-hunt across Argus scan history tied the ShopifySTORES Replit MSI dropper and the State Diagram STDX dropper to the same builder k...

Read Briefing
GLASSWORM.WASM: Deconstructing the TinyGo WebAssembly Loader Hitting Open VSX Malware Analysis
Jun 16, 2026

GLASSWORM.WASM: Deconstructing the TinyGo WebAssembly Loader Hitting Open VSX

Argus caught a variation of the GLASSWORM campaign and flagged seven malicious extension names. We uncover what the TinyGo-compiled WebAs...

Read Briefing
Inside the DPRK-Linked Backdoor Loitering in the VS Code Marketplace Threat Intel
Jun 9, 2026

Inside the DPRK-Linked Backdoor Loitering in the VS Code Marketplace

A notebook productivity tool turns into a full remote access implant whose architecture overlaps with two documented DPRK campaigns — Con...

Read Briefing
A Deeper Look at GLASSWORM's Solana Variant Malware Analysis
May 25, 2026

A Deeper Look at GLASSWORM's Solana Variant

A new wave on Open VSX, a two-tier Solana dead-drop, and a Go-based backdoor.

Read Briefing
Recognized in the Open VSX Security Hall of Fame Security Research
May 21, 2026

Recognized in the Open VSX Security Hall of Fame

Yeeth Security has been added to the Open VSX Security Hall of Fame as a security guardian. A look at the work that led here, and what it...

Read Briefing
The CISO's Guide to IDE Security in 2026 Security Research
May 21, 2026

The CISO's Guide to IDE Security in 2026

What developer-environment threats look like in 2026, and the controls security leaders should put in place. Written by Yeeth Security fr...

Read Briefing
The Malware Factory: GLASSWORM Forensics in Open VSX Threat Intel
Apr 28, 2026

The Malware Factory: GLASSWORM Forensics in Open VSX

Sixteen extensions in 48 hours. All share one author. A forensic walkthrough of how Bane, Yeeth Security's threat-intelligence knowledge ...

Read Briefing
Weaponizing Empty Github Repositories with Releases Threat Intel
Apr 6, 2026

Weaponizing Empty Github Repositories with Releases

A campaign of VS Code extensions using GitHub releases as a payload delivery mechanism — and blockchain RPCs as command-and-control

Read Briefing
The Ghost in the Marketplace Threat Intel
Mar 20, 2026

The Ghost in the Marketplace

Analyzing a Massive 174-Account Surge on Open VSX

Read Briefing
Weaponizing Extension Packs with PackRAT Threat Intel
Mar 13, 2026

Weaponizing Extension Packs with PackRAT

Dissecting a Downloader Abusing Extension Packs for Stealthy Distribution

Read Briefing
Yeeth - 2025 Year in Review Year in Review
Dec 31, 2025

Yeeth - 2025 Year in Review

A look back at what we did and where we are going.

Read Briefing
Secret Scanning with Aho-Corasick Security Research
Dec 28, 2025

Secret Scanning with Aho-Corasick

Why scalable secret detection is a systems problem that matters

Read Briefing
A Deeper Look at RustImplant Malware Analysis
Dec 5, 2025

A Deeper Look at RustImplant

Dissecting an Obfuscated Downloader with Anti-analysis Guardrails

Read Briefing
SleepyDuck Evolution Malware Analysis
Nov 10, 2025

SleepyDuck Evolution

Technical analysis a new iteration of SleepyDuck, a tiny loader that behaves like a backdoor.

Read Briefing
WhiteCobra Beginnings Malware Analysis
Sep 3, 2025

WhiteCobra Beginnings

Technical analysis of one of the early WhiteCobra samples in the wild.

Read Briefing