Last updated: June 30, 2026

The most dangerous supply chain attacks are not always the loud ones.

Over the last few days, Pluto Security has been tracking an active malicious extension campaign on Open VSX. We are calling it Count Dooku because the campaign’s core trick is borrowed legitimacy: familiar extension names, copied upstream metadata, credible repositories, and small malicious changes that are easy to miss during a fast review.

The campaign is still under investigation, and we will continue updating this blog as we confirm additional packages, infrastructure, and impact.

What We Know So Far

Our current list contains 58 campaign-linked Open VSX versions published between June 26 and June 30, 2026 UTC. Of those, 43 versions contain direct indicators tied to the observed beststats.world payload, while 15 currently available versions match the same campaign pattern but did not contain the observed payload at review time.

The campaign spans ordinary developer utilities and AI/LLM-adjacent tooling. Campaign-linked names include extensions related to DeepSeek, Gemini, Cursor AI, Doubao, Claude, OpenRouter, Ollama, Kimi, CodeBuddy AI, Cline, Text2Code, MarkItDown, and Google Colab, alongside non-AI developer extensions such as document viewers, Markdown tooling, SQL tooling, file icons, Playwright test tooling, theme packages, and preview utilities.

How the Campaign Works

The campaign appears to rely on republishing or copycatting legitimate VS Code-compatible extensions into Open VSX. In many cases, the packages claim an upstream repository belonging to a legitimate project, while the Open VSX publication is associated with an unrelated account or an unverified namespace.

In the best-understood samples, the malicious change is small and direct: an extra JavaScript block is appended to the packaged extension code. The legitimate extension logic remains mostly intact, which helps the package appear normal during casual use and makes quick source comparisons less reliable.

The injected code creates a persistent local identifier and sends a beacon to attacker-controlled infrastructure.

Observed network indicator:

https://beststats[.]world/ping

Observed local artifact:

~/.vsx-id

The observed payload sends a small set of host and package metadata, including a generated ID, platform, publisher/name/version metadata, and then suppresses errors. At this stage, the payload we reviewed is best described as tracking and reconnaissance, not a full infostealer.

In the Playwright Test Runner sample, the Open VSX package also changed package.json activation from ["*"] to ["onStartupFinished"]. In practical terms, the appended beacon still runs automatically, but waits until VS Code has finished startup.

VS Code-compatible extensions execute inside developer environments, often with access to workspaces, terminals, configuration, and developer credentials. A campaign that can repeatedly publish working copycat extensions can later ship more invasive payloads through the same path.

The Metadata Told Its Own Story

The infrastructure timeline was one of the first clues. RDAP registration data shows beststats.world was registered on June 26, 2026 at 15:18:53 UTC, shortly before the first affected Open VSX publications in our current list. That does not prove attribution by itself, but it fits the pattern of purpose-built campaign infrastructure appearing just in time for the publishing wave.

Open VSX also surfaced a useful warning on several pages: the version was published by an account that was not a verified publisher for the extension namespace. For example, the Playwright Test Runner package appeared under the sakamoto66 namespace but was published by bennett-charles2788. Pokemon Pets appeared under the AnasFiguigui namespace but was published by bevans42953.

Open VSX warning showing Playwright Test Runner was published by an unverified account for the sakamoto66 namespace
Open VSX warning on the Playwright Test Runner package: the publishing account was not verified for the sakamoto66 namespace.
GitHub profile for bennett-charles2788 showing no public repositories and a recent join date
The bennett-charles2788 GitHub account had no public repositories and had joined GitHub only days before our review.
All publisher GitHub accounts show the same pattern like this bevans42953 profile with a stock photo, showing no public repositories and a recent join date
All publisher GitHub accounts show the same pattern like this bevans42953 profile with a stock photo, showing no public repositories and a very recent account age.

After our initial reporting and the first removals, we also observed the campaign continue in a more staged form. A later confirmed-available sweep identified 16 Open VSX versions still available with the same campaign shape: restricted namespace warnings, unrelated publishing accounts, startup-capable activation, and package or metadata drift from the claimed upstream projects. In that set, 15 versions did not contain the observed beststats.world payload at the time of review. We are treating those as campaign-linked staged artifacts rather than direct beaconing samples.

Currently Available Campaign-Linked Versions
Package Publishing account Classification Published at (UTC)
renxzen.google-colab-theme@0.0.3 rachel-82379 no payload observed 2026-06-30T11:29:19.680264Z
nhatvu148.jupiter@1.2.7 michael74321 no payload observed 2026-06-30T11:29:04.300110Z
CoolSpy3.hmmm-language-support@2.0.4 gregorycampbell5507 no payload observed 2026-06-30T09:44:54.860553Z
garmin.monkey-c@1.1.3 josephnelson6788785 no payload observed 2026-06-30T09:25:34.948492Z
litchi.matplotlib-pilot@0.1.0 tylerwells4311 no payload observed 2026-06-30T08:53:00.299613Z
mgwg.light-pink-theme@0.6.0 jenniferc1742 no payload observed 2026-06-30T05:40:18.724158Z
hiteshchoudharycode.chai-theme@0.2.0 kyle-long1554 no payload observed 2026-06-30T04:59:17.829735Z
JimmyZJX.ripgrep@0.4.2 butlern7879 no payload observed 2026-06-30T04:09:48.979223Z
Gongyueqing.webull-teamup-tool@0.0.21 1727728017-glitch no payload observed 2026-06-30T04:05:48.709479Z
wannanbigpig.codex-accounts-manager@0.1.11 gray-david3732 no payload observed 2026-06-30T03:36:21.778821Z
QxLabAI.text2code@0.0.7 jholmes5759 no payload observed 2026-06-30T02:49:17.450950Z
AnasFiguigui.pokemon-pets@1.3.1 bevans42953 no payload observed 2026-06-30T02:45:14.120016Z
shengsuan-cloud.cline-shengsuan@3.89.3 ashleyc5022 no payload observed 2026-06-30T02:43:29.351906Z
colourafredi.vscode-deepseek@1.6.2 laura-taylor8975 no payload observed 2026-06-29T18:41:26.144338Z
phplasma.csv-to-table@1.4.1 matthew-walker-9276 no payload observed 2026-06-29T18:09:48.002156Z
AnasFiguigui.pokemon-pets@1.3.0 bevans42953 payload confirmed 2026-06-29T11:24:57.850028Z

The CSV to Table case shows why these staged artifacts still matter. The Visual Studio Marketplace page points to a long-standing extension published by Andrew Armstrong, while the Open VSX version appeared under the phplasma namespace but was published by matthew-walker-9276, triggering the Open VSX namespace warning.

Open VSX CSV to Table page showing an unverified namespace warning for publisher matthew-walker-9276
Open VSX warning on phplasma.csv-to-table@1.4.1: familiar namespace and metadata, unrelated publisher account.
Visual Studio Marketplace CSV to Table page showing the original extension published by Andrew Armstrong
The Visual Studio Marketplace listing for CSV to Table shows the original publisher and long-standing marketplace presence.

Pokemon Pets is another useful example of the campaign evolving in public. Version 1.3.0 contained the observed payload, while Open VSX later showed version 1.3.1 from the same unrelated publisher account. That newer Open VSX version did not match the upstream release line we reviewed and did not contain the same added payload.

Open VSX warning showing Pokemon Pets was published by an unverified account for the AnasFiguigui namespace
Open VSX warning on Pokemon Pets: version 1.3.0 was published by bevans42953, an account that was not verified for the AnasFiguigui namespace.

One caution on impact numbers: we are treating Open VSX download counts for this campaign as inflated exposure signals, not confirmed malicious install counts. Several affected pages showed large counts despite brand-new unrelated publisher accounts and no review history, so those numbers should not be read as a direct count of infected machines.

Why This Is Easy To Miss

This campaign is effective because it does not need to invent trust. It borrows it.

The attacker-controlled packages can look convincing because they reuse:

  • Existing extension names and branding patterns.
  • Legitimate upstream repository URLs.
  • Familiar package metadata.
  • Mostly unchanged extension behavior.
  • Small injected code blocks rather than obvious standalone malware.

In one sample we analyzed, the malicious code was appended after the normal bundled output and was not represented in the source map. That is exactly the kind of change a developer can miss if they only skim the README, the manifest, or a small section of bundled JavaScript.

There were still red flags. Open VSX metadata exposed signals such as unverified namespaces, unrelated publishing accounts, and publication timestamps that did not line up with upstream release history. Those signals become much more powerful when paired with package-content comparison.

Why AI Tooling Shows Up Here

This campaign is not exclusively an AI-extension campaign. The affected list includes many general-purpose developer tools.

But AI and LLM tooling is clearly part of the target set. The campaign includes extension names related to DeepSeek, Gemini, Cursor AI, Doubao, Claude, OpenRouter, Ollama, Kimi, CodeBuddy AI, and MarkItDown. These names matter because developers are rapidly adopting AI coding tools, model routers, local LLM runtimes, and IDE assistants, often from extension marketplaces and often with limited provenance review.

That adoption creates a broad target surface: productivity tooling that runs close to source code, terminals, credentials, and build workflows.

Impact

Based on the samples analyzed so far, the observed payload:

  • Runs from the packaged extension code.
  • Writes or reuses a persistent ID at ~/.vsx-id.
  • Sends a beacon to beststats[.]world/ping.
  • Includes package and platform metadata in the request.

We have not confirmed, from the current payload, direct theft of source code, browser data, cloud credentials, SSH keys, or tokens. However, affected machines should still be treated seriously because extension execution occurs in a sensitive developer context and the campaign has demonstrated the ability to distribute modified packages through Open VSX.

Recommendations

If you installed any affected extension from Open VSX during the campaign window, treat the machine as potentially exposed until reviewed.

Immediate steps:

  1. Check installed VS Code-compatible extensions for the affected package names listed below.
  2. Remove any affected extension version.
  3. Delete ~/.vsx-id if present.
  4. Search DNS, proxy, EDR, and firewall logs for requests to beststats.world or beststats[.]world/ping.
  5. Reinstall only from a trusted source after verifying publisher identity, release timestamp, and package contents.
  6. For developer workstations or CI systems with sensitive credentials, review whether tokens, keys, or secrets were accessible in the extension host context.

For teams operating internal developer environments:

  • Block outbound access to beststats.world.
  • Mirror and allowlist approved extensions rather than allowing direct marketplace installation.
  • Alert on newly installed extensions from unverified or unrelated publishers.
  • Compare packaged extension artifacts against trusted upstream releases when possible.
  • Record extension provenance in endpoint inventory and SBOM-style developer tooling inventories.

Indicators Of Compromise

Network

beststats[.]world
https://beststats[.]world/ping

Filesystem

~/.vsx-id

Code Strings

beststats.world/ping
path.join(os.homedir(), ".vsx-id")
appended JavaScript IIFE

Affected Extensions And Publishing Accounts

Count Dooku Open VSX IoCs
Package Publishing account Status Published at (UTC) Evidence file SHA-256
renxzen.google-colab-theme@0.0.3 rachel-82379 available 2026-06-30T11:29:19.680264Z Open VSX metadata n/a
nhatvu148.jupiter@1.2.7 michael74321 available 2026-06-30T11:29:04.300110Z Open VSX metadata n/a
CoolSpy3.hmmm-language-support@2.0.4 gregorycampbell5507 available 2026-06-30T09:44:54.860553Z Open VSX metadata n/a
garmin.monkey-c@1.1.3 josephnelson6788785 available 2026-06-30T09:25:34.948492Z Open VSX metadata n/a
litchi.matplotlib-pilot@0.1.0 tylerwells4311 available 2026-06-30T08:53:00.299613Z Open VSX metadata n/a
mgwg.light-pink-theme@0.6.0 jenniferc1742 available 2026-06-30T05:40:18.724158Z Open VSX metadata n/a
hiteshchoudharycode.chai-theme@0.2.0 kyle-long1554 available 2026-06-30T04:59:17.829735Z Open VSX metadata n/a
JimmyZJX.ripgrep@0.4.2 butlern7879 available 2026-06-30T04:09:48.979223Z Open VSX metadata n/a
Gongyueqing.webull-teamup-tool@0.0.21 1727728017-glitch available 2026-06-30T04:05:48.709479Z Open VSX metadata n/a
wannanbigpig.codex-accounts-manager@0.1.11 gray-david3732 available 2026-06-30T03:36:21.778821Z Open VSX metadata n/a
QxLabAI.text2code@0.0.7 jholmes5759 available 2026-06-30T02:49:17.450950Z Open VSX metadata n/a
AnasFiguigui.pokemon-pets@1.3.1 bevans42953 available 2026-06-30T02:45:14.120016Z Open VSX metadata n/a
shengsuan-cloud.cline-shengsuan@3.89.3 ashleyc5022 available 2026-06-30T02:43:29.351906Z Open VSX metadata n/a
colourafredi.vscode-deepseek@1.6.2 laura-taylor8975 available 2026-06-29T18:41:26.144338Z Open VSX metadata n/a
phplasma.csv-to-table@1.4.1 matthew-walker-9276 available 2026-06-29T18:09:48.002156Z Open VSX metadata n/a
AnasFiguigui.pokemon-pets@1.3.0 bevans42953 available 2026-06-29T11:24:57.850028Z dist/extension.js 92476d6cf91c5d7e08319526442b361b9656c305244338ce098240f22a1cb8f5
shubhamprajapati1202.office-editor@1.0.1 hmoore2190 deleted 2026-06-29T11:48:39.734161Z dist/extension.js 2a45abcc2802104820a2ab5ead0a95088dc4d473cef5bfec66449b8de98eff6c
DivyanshuAgrawal.competitive-programming-helper@2026.6.1780853884 henry-davis-5045 deleted 2026-06-29T11:15:26.886824Z dist/extension.js 6f293b77c335354d02f1f809aeead33ab4a2552343f0e8fad840c27aa8e74c65
atommaterial.a-file-icon-vscode@2.0.1 rachelhoward8917 deleted 2026-06-29T08:54:21.411794Z dist/extension.js 387f341ddadbaeb221469e34612c6c0ec303871307957e586bd9a71ba410ac8f
epolicardo.sql-server-profiler-tool@0.5.1 jphillips60904 deleted 2026-06-29T08:26:54.105307Z dist/extension.js 2abd90db23c473b1ecf1a44a8116949b5b31fc9db8007a897c11ea61433d42c6
vbrocket.cursor-ai@0.2.0 steven-12752 deleted 2026-06-29T07:20:28.026Z dist/extension.js f3a4871e4f955deaa39ec8f77d6a10cb274237ca5181b807691784e5d2746ffc
acebunny00.gemini-cli-launcher@0.1.0 barbarawood3450 deleted 2026-06-29T07:19:18.823Z out/extension.js 4aa84b57779ea60742e8c3b415cf57136d5dc6ef2bf64ae07e458d660ebfa721
bokuweb.vscode-ripgrep@0.2.2 richard-reed9317 deleted 2026-06-29T07:19:14.489Z out/src/extension.js bdf0ba16ae6337635c9c675e3760c0dfa05664252ae1b52550e21cfca30f4c0e
GingerTurtle.html-preview-pro@1.1.0 emmawright6395889 deleted 2026-06-29T07:19:12.853Z out/extension.js bdbc8e6e31604c102fa6381f2c293d7eaca8bc119a67a8f0c3571eb03df3ab56
mattn.Lisp@0.1.12 ashleyscott4264 deleted 2026-06-29T07:19:09.397Z extension.js 191845b92d8b348a483025f1d09a588ba379415a81c1fa3ef92403741fe582fd
Doubao.doubao-app-share-vscode-plugin@0.1.2 carterj5999 deleted 2026-06-29T07:19:05.724Z dist/extension.js 1f885eb71169eee0c3e8038def82ecb018120f2dfbd6e8086c5c6255d458cadd
hostinger-official.hostinger-connector@1.2.3 unknown deleted 2026-06-29T07:19:00.300Z out/extension.js 31ac69af1571ae6726c6e0105448df73cf5c972c58db3673ef45b927965acea2
hss.web-viewer@0.0.2 nellis9192 deleted 2026-06-29T07:18:36.955Z out/extension.js 4da12794872a0de79317cc23f39e4aa60afa4eee0c481e873382da8ff2ffe76b
kangping.protobuf@1.1.6 collinsc4332 deleted 2026-06-29T07:18:32.633Z out/src/extension.js 3767564c8802dd7bc1fff686f5a094ece05ed6751f557430b411b7213cd02a26
ShahilKumar.docxreader@1.4.2 donald-kelly-4243 deleted 2026-06-29T07:18:26.962Z out/extension.js f955b77a3e9af0489253a11df1cf6e7dc5177915bd50e264f44b9136b8207917
Dadroit.dadroit-json-generator@1.2.2 emilymitchell6265717 deleted 2026-06-29T07:18:23.809Z dist/extension.js bebbc745524b5203466f3812a8f690a37edcb41c0d7a007be4c710ad0c0eca00
Development42.csv-excel-viewer@1.9.0 barbarapeterson5274556 deleted 2026-06-29T07:17:09.456Z dist/extension.js 056c142026237bc2ad67e0dcb722a7202dd8f8fff4b51e4b140f3db95a98702e
Lumidew.claude-color-theme@0.0.6 helenellis5738138 deleted 2026-06-29T07:17:06.439Z extension.js 90bd451e27c1b3e143750232d29975a86859dc182a46834c970bb84565b8ac55
sakamoto66.vscode-playwright-test-runner@1.4.1 unknown deleted 2026-06-29T07:16:50.053Z dist/extension.js 10786473f4579d1cbf52547b82d7697789149931041b3215fd48a635fa2cf4a3
afractal.node-essentials@1.1.0 helen-77196 deleted 2026-06-29T07:15:38.213Z extension.js c2a2f1dae8974c59574a2209733533551edb7af422737b932e796b73e5504f05
yinfei.luahelper@0.2.29 unknown deleted 2026-06-29T07:15:28.032Z out/extension.js bb6e8b4eb4aee6c517eff269071dfca5fd281c625bfaa5feae062bea0db2356d
matthiesen-technology.yaml-with-script@1.1.3 avan2297 deleted 2026-06-29T07:14:55.838Z out/extension.js dd40a5ae6f4a25373de02d9e9d708cd75854f916c494d3d83fea861f1cbee1b4
Rubymaniac.vscode-paste-and-indent@0.0.8 miller55080 deleted 2026-06-29T07:14:25.252Z out/src/extension.js 6e9090901537e18cbb28966c79243668003d7291f341a6bc69e659025157a4ec
sarthikbhat.json-server@0.0.4 peter20067 deleted 2026-06-29T07:03:14.446187Z dist/extension.js 4854cd7b0bfbbfa22c708e05b0381ad1f885a8fbf089087a855820a242e30404
sfdc-eng.bazel-vscode@0.26.106021821 jack23668 deleted 2026-06-27T19:07:49.787804Z out/src/extension.js bf004c34e7fbd0de8e5c4547d50485c450686afcc6778b67d9e5a3ad7e4183e3
mjethwa-streamlit.streamlit-preview@3.3.4 benjaminmorgan0507404 deleted 2026-06-27T18:06:12.307532Z dist/extension.js b95649ea17a7aa446a023e9b8d1cd39229d44866bac681ccfa1467ceb08f4701
tom-latham.markdown-pdf-plus@1.1.0 julie-johnson-5568 deleted 2026-06-27T17:06:43.429146Z out/extension.js 8508970860a81416ede9de72d6aa81ec139c49492fb8832e9e92141389aac3b8
khaled.vscode-openrouter-extension@0.5.0 jeffrey-84669 deleted 2026-06-27T16:20:34.352649Z dist/extension-node.js e55c2a52fe83e3d34b3d3a60db22ffa1da6a978b869ef832a9345317d5271d35
fabric.vscode-fabric@0.39.18 sean20476 deleted 2026-06-27T15:15:14.506405Z dist/extension.js 5bc68f0e207e082c27b5284a6ebf0c0bc94907b3c1d37881160226d345c0324b
willasm.obsidian-md-vsc@1.3.0 ashleyy9617 deleted 2026-06-27T14:25:45.757706Z src/extension.js a3d467cae38149122863e4bbc08bb9c7ebbd26dc831ad5e5a07af424920df757
warm3snow.vscode-ollama@1.2.1 ethan-thomas8451 deleted 2026-06-27T13:41:36.188561Z out/extension.js 091b5d5b0280c68409c1939b18bb41e9567253bcc01e54fc5fbcbfe8604da111
corotata.pptx-preview@1.0.1 parker-edward7785 deleted 2026-06-27T12:40:01.784488Z out/extension.js 93d03ee81e5768054cee7198b4d68d561e89d5f99712e070e79d2283a0900585
seepine.md-editor@0.1.1 samuel-phillips-9760 deleted 2026-06-27T12:04:54.918875Z out/extension.js 37c4d24ec62b929e8bfda48ec70fa62fe59c59cbd21f5bad18187b9649ba8e35
SyncfusionInc.Document-Viewer-VSCode-Extensions@4.0.4 sanderson8497 deleted 2026-06-27T11:57:52.944068Z dist/extension.js 782dc090e5e7ba8118c0bdf03326f8d0b60719a258ba723231c3ac8ce76581b3
Kingleo.kimi-vscode@0.0.6 jkelly71338 deleted 2026-06-27T11:08:41.934725Z out/extension.js d3d7853748133938c05a94e2968d1c185abf7a4809956851914d894afe4af105
CodebuddyAI.codebuddy-ai@1.7.0 daniel-75169 deleted 2026-06-27T11:02:38.740031Z extension.js 1e6b109b68e46d2f6a68210811498b68b2b78cec8e0e67562fd1377d5c240cc6
bioinfo.markitdown-vscode@0.3.1 dennish4310 deleted 2026-06-27T09:14:39.625890Z out/extension.js bd50ea22917a6f4370d1dbba6771ea9b03e8b25d3835d3b8087511fcec5f6069
huanent.node-runner@1.0.2 dwells3532 deleted 2026-06-27T08:33:12.833708Z out/extension.js 1228eb9a8dd72c85f1cace5e7f6a4bffed4cbc1bfaf7f084f72cac708b0fb347
TomRileyTech.open-excel@0.0.1 pricee2597 deleted 2026-06-27T07:43:10.754657Z out/extension.js 47c047a740bd1717b1241645436e3a61bb368d9dda059f278b497c7c96106a76
justuskarlsson.plan-uml@0.0.8 carol-walker9546 deleted 2026-06-27T05:44:35.493773Z out/extension.js 98e455bca42cf74a66bb34cf8850fa6944aa2e36f6beb80ccc8c22114a4206d9
juajnnlb.claude-commit@1.0.4 a373083284542 deleted 2026-06-27T04:47:14.618943Z out/extension.js 4dc0f2909c25b0817fa970098ea7d4654f5914e35ca8244bd73a0d97776e83a9
Zerobig.vscode-1c-metadata-viewer@0.2.3 a373083284542 deleted 2026-06-27T04:40:17.762975Z out/extension.js 2fdd61db7ef15c8e981a71a7f6f25107ed5501506d30d0c73b4419c268d825ce
juanlb.claude-commit@1.0.1 a373083284542 deleted 2026-06-26T16:20:41.129805Z out/extension.js 115fd3de643ca9898dcceb7459237d5f5b273f0138db7c46a1e2cdfa659170ff

We Will Keep Updating This Post

This is a live investigation. We are continuing to validate package relationships, publisher accounts, infrastructure, and downstream exposure. As we confirm more details, we will update this post with additional technical analysis and detection guidance.