yeethsecurity.com via Reddit

VS Code Extensions Smuggle Lazarus Backdoor in SharePoint

microsoft cybersecurity coding tools ai-security supply-chain

Key insights

  • Three VS Code extensions share identical AES-256-CBC encryption keys and one SharePoint site GUID, revealing coordinated infrastructure hidden across separate publisher accounts.
  • Windows agent binaries scored 3/71 on VirusTotal and carry a forged 2040 compilation timestamp specifically to defeat signature-based endpoint detection.
  • The Graph API token-broker-to-SharePoint C2 chain parallels DreamLoader techniques and mirrors Contagious Interview and BeaverTail cross-platform tradecraft.

Why this matters

Routing command-and-control through Microsoft Graph API and SharePoint means standard network-layer defenses and DLP tools will not flag the traffic as malicious, since it is structurally identical to legitimate enterprise Microsoft 365 activity. The 3/71 VirusTotal detection rate at disclosure confirms endpoint tooling has not caught up to cloud-trusted-infrastructure-as-C2, a technique the report links to Lazarus Group campaigns including Contagious Interview, BeaverTail, and DreamLoader. Any developer who installed one of these three extensions potentially exposed credentials and source code through a C2 channel whose SharePoint site GUID is now publicly disclosed, meaning defenders can pivot on that indicator immediately.

Summary

Three VS Code extensions were caught routing backdoor commands through Microsoft's own SharePoint infrastructure, with C2 traffic structured to blend into routine enterprise Microsoft 365 activity. Yeeth Security's Argus scanner flagged the implants on June 8, 2026: ByteBinTools.jupyter-powerdev, ToolCraft.jupyter-powertools, and OLDev.markdown-mode-devtools share identical AES-256-CBC encryption keys and a single SharePoint site GUID used for victim registration, command queuing, and data exfiltration. Essentially: (Yeeth Security, Lazarus Group) a developer supply-chain attack exploiting trusted Microsoft cloud infrastructure as a C2 channel. - Windows binaries (monitor-agent.exe, job-agent.exe, processor-service.exe) scored 3/71 on VirusTotal, compiled with Costura.Fody and a forged 2040 compilation timestamp to defeat signature detection. - The cross-platform JavaScript and Python architecture mirrors documented Contagious Interview and BeaverTail patterns; Graph API abstractions match DreamLoader techniques. - Definitive DPRK attribution remains unconfirmed; the report states these techniques are not exclusive to North Korean actors and require further non-public indicators.

Potential risks and opportunities

Risks

  • Developers who installed ByteBinTools.jupyter-powerdev, ToolCraft.jupyter-powertools, or OLDev.markdown-mode-devtools face active data exfiltration through SharePoint C2 infrastructure that may still be operational as of June 9, 2026.
  • The 3/71 VirusTotal detection rate means enterprise EDR vendors face customer pressure to update signatures, while similar Graph API C2 campaigns may already be active across other VS Code Marketplace extensions undetected.
  • If the Lazarus Group attribution holds, the financial infrastructure naming consistent with TraderTraitor and Slow Pisces targeting patterns suggests the implants are aimed at a specific sector, amplifying downstream theft risk for those developers.

Opportunities

  • VS Code extension security scanners (Socket, Phylum) gain immediate enterprise credibility and budget to audit the broader VS Code Marketplace for shared SharePoint site GUIDs and identical AES key fingerprints.
  • Microsoft's Defender for Cloud Apps and Sentinel teams can build behavioral detection rules targeting Graph API polling at 10 and 30-second intervals, a specific signature disclosed in the Yeeth Security report.
  • Security vendors with established DPRK threat-intelligence depth (Mandiant, CrowdStrike, SentinelOne) can use the disclosed SharePoint site GUID and AES-256-CBC key as pivot indicators across customer telemetry to identify additional victims or related infrastructure.

What we don't know yet

  • How many developers installed these three extensions before removal, and whether Microsoft has disclosed download counts or issued direct notifications to affected users.
  • Whether definitive DPRK attribution can be established, since the report explicitly states these techniques are not exclusive to North Korean actors and require further non-public indicators.
  • Whether Microsoft has revoked the SharePoint site (GUID e6bf72be-e8e2-4785-8814-5f874341d11f) and invalidated the Graph API tokens used for active C2 operations.

Originally reported by yeethsecurity.com

Read the original article →

Original headline: DPRK-Linked Multi-Stage Backdoor Found Loitering in VS Code Marketplace — Three Extensions Use Microsoft Graph API and SharePoint for C2, 3/71 VirusTotal Detection