AI Security Analysis: Amh Mw Helper

Analysis generated: 2025-12-12T01:31:00+13:00
Model: gemini-3-pro-preview

Quick Facts

AI Analysis

Executive Summary

The "Amh Mw Helper" extension represents a CRITICAL security threat and should be blocked immediately. The extension exhibits characteristics typical of a supply chain attack or malware dropper, featuring thousands of indicators related to unauthorized system commands, file downloads, and network communication triggered during the installation phase. With a risk score of 100/100, zero trust score, and an unverified publisher, this extension poses an immediate danger to system integrity and data confidentiality.

Threat Assessment

The security posture of this extension is non-existent; it appears to be an active threat vector rather than a functional tool.

• Malicious Installation Behavior: The overwhelming majority of high-severity findings relate to postinstall scripts. In the VS Code/NPM ecosystem, post-install scripts run automatically upon installation. The presence of postinstall_system_command, postinstall_file_download, and postinstall_network_communication indicates that simply installing this extension could compromise the host machine before the user even interacts with it.
• Anomalous Code Volume: The extension contains over 21,000 findings, with 7,515 classified as HIGH severity. This volume is highly abnormal for a version 0.0.1 extension and suggests the inclusion of a massive obfuscated payload or a compromised dependency tree containing known malware signatures.
• Obfuscation and Evasion: Multiple findings of postinstall_obfuscation suggest active attempts to hide the code's true intent from static analysis tools.
• Credential Theft Potential: The presence of credential_env_files signatures indicates logic designed to scan for and potentially exfiltrate environment variable files (often used to store API keys and secrets).

Risk Justification

The 100.0/100 risk score is fully justified and accurate.

• Severity: The findings are not merely bad coding practices; they are signatures of active malware behaviors (downloading payloads, executing shell commands, hiding code).
• Trust: The publisher "jcyLite" is unverified, the user count is negligible (6), and the description is unintelligible ("???????fta-admin?vscode??"), indicating a lack of legitimacy.
• Impact: The combination of network communication and system command execution allows for Remote Code Execution (RCE) capabilities.

Key Findings

• Arbitrary Code Execution (High Confidence): Repeated instances of postinstall_system_command indicate the extension attempts to execute shell commands on the host OS immediately after installation.
• Dropper Functionality: The combination of postinstall_file_download and postinstall_file_manipulation suggests the extension acts as a "dropper," downloading a secondary malicious payload from an external server.
• Data Exfiltration Risk: postinstall_network_communication combined with credential_env_files creates a high probability that the extension scrapes local secrets and transmits them externally.
• Crypto-Mining/Ransomware Indicators: The finding postinstall_crypto_operations is often associated with unauthorized crypto-mining scripts or ransomware encryption routines.
• Evasion Techniques: postinstall_obfuscation and DebuggerStatementsShouldNotBeUsed imply the code is designed to resist reverse engineering and debugging.

Recommendations

1. Immediate Block: Blacklist the extension UUID (6d745bdf-c04c-5685-9e2c-1acb9d97e0b0) in all organizational VS Code configurations.
2. Incident Response: If this extension is found on any endpoint, treat the machine as fully compromised. Re-image the device, as the postinstall scripts likely established persistence or downloaded additional malware.
3. Credential Rotation: If installed by any developer, assume all secrets (API keys, SSH keys, AWS credentials) on that machine are compromised and rotate them immediately.
4. Network Blocking: Investigate network logs for traffic originating from the VS Code process during the time of installation to identify Command & Control (C2) domains.

Mitigation Strategies

There is no safe way to use this extension.
Due to the presence of obfuscated post-install scripts that execute system commands, "sandboxing" is insufficient. The risk outweighs any potential (and currently unknown) utility. The only mitigation is total avoidance.

Confidence Assessment

Confidence: 95%
While "malware-signature" findings can sometimes be false positives, the specific combination of thousands of matches related to postinstall execution, file downloading, and obfuscation creates a distinct fingerprint of malicious intent. The low version number, unverified publisher, and broken description provide corroborating context that confirms this is not a legitimate software project.

Disclaimer

This analysis was generated by an AI model and should be reviewed by security professionals. The findings are based on automated security scanning and may include false positives. Always verify critical findings manually before taking action.