Malicious VSCode Extension Launches Multi-Stage Attack Chain with Anivia Loader and OctoRAT

Description

A malicious Visual Studio Code extension named 'prettier-vscode-plus' was discovered on the official VSCode Marketplace, impersonating the legitimate Prettier formatter. This extension served as the entry point for a multi-stage malware chain, starting with the Anivia loader, which decrypted and executed further payloads in memory. The final stage, OctoRAT, is a comprehensive remote access toolkit providing over 70 commands for surveillance, file theft, remote desktop control, persistence, privilege escalation, and harassment. The attack chain employs sophisticated techniques like AES encryption, process hollowing, and UAC bypass. The threat actor's GitHub repository showed active payload rotation to evade detection. This supply-chain attack highlights the evolving threats targeting developers and the abuse of trusted tools in their ecosystem.