Two malicious extensions on Microsoft’s Visual Studio Code Marketplace infect developers’ machines with information-stealing malware that can take screenshots, steal credentials, crypto wallets, and hijack browser sessions.
The marketplace hosts extensions for the popular VSCode integrated development environment (IDE) to extend functionality or add customization options.
The two malicious extensions, called Bitcoin Black and Codo AI, masquerade as a color theme and an AI assistant, respectively, and were published under the developer name ‘BigBlack.’
At the time of writing, Codo AI was still present in the marketplace, although it counted fewer than 30 downloads. Bitcoin Black’s counter showed only one install.
Source: BleepingComputer.com
According to Koi Security, the Bitcoin Black malicious extension features a “*” activation event that executes on every VSCode action. It can also run PowerShell code, something that a theme does not need and should be a red flag.
In older versions, Bitcoin Black used a PowerShell script to download a password-protected archived payload, which created a visible PowerShell window and could have warned the user.
In more recent versions, though, the process switched to a batch script (bat.sh) that calls ‘curl’ to download a DLL file and an executable, and the activity occurs with the window hidden.
Source: Koi Security
Idan Dardikman of Koi Security says that Codo AI has code assistance functionality via ChatGPT or DeepSeek, but also includes a malicious section.
Both extensions deliver a legitimate executable of the Lightshot screenshot tool and a malicious DLL file that is loaded via the DLL hijacking technique to deploy the infostealer under the name runtime.exe.
The malicious DLL is flagged as a threat by 29 out of the 72 antivirus engines on Virus Total, the researcher notes in a report today.
The malware creates a directory in ‘%APPDATA%Local‘ and creates a directory called Evelyn to store stolen data: details about running processes, clipboard content, WiFi credentials, system information, screenshots, a list of installed programs, and running processes.
source: BleepingComputer
To steal cookies and hijack user sessions, the malware launches the Chrome and Edge browsers in headless mode so it can snatch stored cookies and hijack user sessions.
The malware also steals cryptocurrency wallets like Phantom, Metamask, Exodus. It looks for passwords and credentials
BleepingComputer has contacted Microsoft about the presence of the extensions in the marketplace, but a comment wasn’t immediately available.
Malicious VS Code extensions have been pushed to platforms providing extensions with VS Code IDEs, such as OpenVSX and Visual Studio Code, one of the most notable campaigns being Glassworm.
Developers can minimize the risks of malicious VSCode extensions by installing projects only from reputable publishers.
Broken IAM isn’t just an IT problem – the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what “good” IAM looks like, and a simple checklist for building a scalable strategy.