AI Security Analysis: Test.AI

Analysis generated: 2025-12-11T22:47:45+13:00
Model: gemini-3-pro-preview

Quick Facts

AI Analysis

Executive Summary

CRITICAL WARNING: Do not install or use this extension.
The "Test.AI" extension (v0.0.7) presents an immediate and severe security threat. The analysis detected over 32,000 security findings, with a specific focus on malicious scripts designed to execute system commands, manipulate files, and establish network connections immediately upon installation. The combination of an unverified publisher, low user count, and aggressive obfuscated installation scripts strongly suggests this is a malicious package or a supply chain attack vector.

Threat Assessment

The security posture of this extension is critically compromised. The findings indicate a high probability of intentional malicious functionality rather than accidental vulnerabilities.

• Malicious Installation Scripts: The most concerning aspect is the prevalence of postinstall YARA matches (e.g., postinstall_system_command, postinstall_obfuscation). In the Node.js/VS Code ecosystem, post-install scripts run automatically when dependencies are installed. This extension appears configured to execute arbitrary system commands and obfuscated code the moment it is set up, without requiring specific user interaction.
• Obfuscation and Evasion: The presence of postinstall_obfuscation signatures indicates an active attempt to hide the code's true intent from analysis. Legitimate extensions rarely require obfuscation in their installation routines.
• Excessive Indicators of Compromise (IOCs): The report lists over 24,000 IOCs and 226 network findings. This abnormal volume suggests the extension may contain a massive list of malicious domains or IPs, potentially acting as a botnet client or a tool for credential harvesting.
• Unverified Supply Chain: The publisher "Gabriel de Paula Brunetti" is unverified, and the extension has a very low version number (0.0.7) and user count (62). This profile is consistent with "typosquatting" or malicious prototyping, where attackers upload extensions with generic names (like "Test.AI") to trick developers.

Risk Justification

Risk Score: 100.0/100 (CRITICAL)

This score is fully justified and potentially conservative given the findings.

• Intent vs. Vulnerability: Unlike extensions with accidental coding errors, the findings here (obfuscation, system commands in install scripts) indicate malicious intent.
• Severity of Findings: 7,504 HIGH severity findings is an exceptionally rare and dangerous metric.
• Attack Vector: The use of postinstall scripts means the compromise happens automatically during the setup phase, bypassing many runtime security controls.

Key Findings

• System Command Execution (High Severity): Multiple instances of postinstall_system_command were detected. This indicates the extension attempts to run shell commands on the host OS, potentially to install persistent malware or steal data.
• Code Obfuscation (High Severity): The postinstall_obfuscation findings suggest the code responsible for installation is deliberately hidden, a primary characteristic of malware.
• Network Communication (High Severity): postinstall_network_communication combined with 226 general network findings indicates the extension attempts to "phone home" or download additional payloads immediately upon installation.
• File System Manipulation (High Severity): postinstall_file_manipulation indicates the extension attempts to read, write, or delete files outside of its standard scope.
• Anomalous Volume: A total of 32,567 findings is statistically impossible for a legitimate, well-maintained extension of this type, suggesting it bundles known malicious libraries or massive lists of attack targets.

Recommendations

1. Immediate Removal: If this extension is installed on any environment, uninstall it immediately.
2. Incident Response: Treat any machine that has installed this extension as compromised. The postinstall scripts likely executed immediately. Re-imaging the machine or restoring from a clean backup is recommended.
3. Credential Rotation: Rotate all credentials (SSH keys, API tokens, cloud provider secrets) present on the affected machine, as the extension had file access and network capabilities.
4. Blocklist: Add the Extension UUID (12871a8d-5c40-505d-876c-25b4e67cd377) to the organization's VS Code extension blocklist to prevent future installation.
5. Network Investigation: Review network logs for traffic to unknown IPs/domains originating from the affected developer workstations around the time of installation.

Mitigation Strategies

There are no safe mitigation strategies for using this extension.
Due to the presence of obfuscated installation scripts and the high likelihood of malicious intent, "sandboxing" or "limiting permissions" is insufficient. The risk of data exfiltration or lateral movement is too high. The only valid mitigation is total avoidance.

Confidence Assessment

Confidence Level: 80% (High)

While YARA rules can generate false positives, the convergence of multiple distinct high-risk indicators increases confidence significantly. The specific combination of obfuscation, system command execution, and network activity within a post-install context is a classic signature of a malicious supply chain attack. The sheer volume of findings (32k+) further solidifies the assessment that this code is anomalous and dangerous.

Disclaimer

This analysis was generated by an AI model and should be reviewed by security professionals. The findings are based on automated security scanning and may include false positives. Always verify critical findings manually before taking action.