Beware these vibe coded Pokemon themes.
SOPA Images/LightRocket via Getty Images
So far this month, I have reported on active Windows hack attacks, 300 million stolen credentials that are being traded on the dark web, and a magic code that just might save you a fortune if your smartphone gets stolen. What I didn’t expect to be writing about, as a cybersecurity geek, was Pokemon. Or, for that matter, vibe coding, as neither exactly floats my professional interest boat. But here we are, and here’s the news that vibe coders are abusing the AI-powered programming sensation to create malware posing as, among other things, Pokemon coding themes. Here’s what you need to know.
ForbesPayPal Attack Update: Another ‘Do Not Pay’ Warning IssuedBy Davey WinderThe Pokemon Vibe Coding Theme That Wants To Catch Them All — With Malware
Downloaded hundreds of times before they were removed from the VS Code marketplace, the malicious extensions posed as “tools tailored for developers with AI vibe coders.” VS Code is the free code editor from Microsoft that is “a go-to choice for programmers,” Ernestas Naprys from Cybernews said in reporting the issue.
John Tuckner, founder of malicious software extensions protection outfit, Secure Annex, first warned of the dangers in an October 31 posting detailing how a total of five malicious extensions were published to the marketplace. Of the Pokemon theme extension, Tuckner said that “sadly, the extension only downloads malware instead of even changing highlighting syntax or showing Pikachu when you hover functions.”
It does serve as a warning for all of the dangers of tools that purport to be of help, although in this case, that’s highly debatable, for vibe coders. “The extension contains no theme functionality, dancing Pikachu sprites, and immediately executes malicious code upon installation,” Tuckner confirmed. The payload was cryptomining malware on this occasion, although the same technique, which included disabling Windows Defender, could be put to use for other malicious activity.
Vibe coding Pokemon fans will, I’m sure, be upset to learn that the extension didn’t provide the promised Pokemon-themed syntax highlighting, file icon hover Pokemon animations, random Pokemon encounters in the output panel and even Pokemon-themed comments as code snippets. The rest of us will probably be wondering what these people are thinking of and getting on with our lives.
ForbesLinkedIn DM Attack Warning — What Users Need To KnowBy Davey Winder