Ethical Hacking News
Nine VSCode extensions on Microsoft's Visual Studio Code Marketplace pose as legitimate development tools while infecting users with XMRig cryptominer to mine Ethereum and Monero. If you've installed any of the nine malicious extensions, remove them immediately and manually locate and delete the coin miner, scheduled tasks, registry key, and malware directory.
Malicious VSCode extensions have been identified that infect users with cryptominers designed to mine Ethereum and Monero cryptocurrencies. The malicious extensions were published on the VSCode Marketplace in April 2025 and had been downloaded over 300,000 times. The infected extensions fetch a PowerShell script from an external source when installed and activated, which executes the cryptominer XMRig. Users are advised to remove the malicious extensions immediately and manually delete any associated malware directories, scheduled tasks, registry keys, and files. Regularly checking the reputation of installed extensions and updating them promptly can help prevent security risks.
Malicious VSCode extensions have been identified as a threat to users of Microsoft's popular code editor, Visual Studio Code (VSCode). The malicious extensions, which were published on the VSCode Marketplace in April 2025, pose as legitimate development tools but instead infect users with cryptominers designed to mine Ethereum and Monero cryptocurrencies. The discovery was made by ExtensionTotal researcher Yuval Ronen, who identified nine VSCode extensions that had been downloaded over 300,000 times since their publication.
The malicious extensions were found to fetch a PowerShell script from an external source when installed and activated, which executes the cryptominer XMRig. The extension's package names are: Discord Rich Presence for VS Code, Rojo – Roblox Studio Sync, Solidity Compiler, Claude AI, Golang Compiler, ChatGPT Agent for VSCode, HTML Obfuscator, Python Obfuscator for VSCode, and Rust Compiler for VSCode. All of these extensions had amassed significant numbers of downloads since their publication, with some having as many as 189,000 installs.
Upon further investigation, it was discovered that the malicious PowerShell script performs several malicious functions, including disabling defenses, establishing persistence, escalating privileges, and eventually loading the cryptominer. The script also creates a scheduled task disguised as "OnedriveStartup" and injects a script in the Windows Registry to ensure the malware runs at system startup.
Furthermore, the script turns off critical Windows services such as Windows Update and Update Medic, adds its working directory to Windows Defender's exclusion list, and performs DLL hijacking using a malicious MLANG.dll to elevate privileges. The executable, which is encoded in base64 form, is decoded by the PowerShell script to connect with a secondary server at myaunet[.]su to download and run XMRig, a Monero cryptocurrency miner.
It's worth noting that the presence of an NPM directory on the threat actor's server may indicate that the campaign is active on that package index as well. However, no malicious files have been found on the NPM platform at this time.
If you've installed any of the nine malicious VSCode extensions, it's essential to remove them immediately and manually locate and delete the coin miner, scheduled tasks, registry key, and malware directory. BleepingComputer has contacted Microsoft about the malicious extensions, and further information will be provided as available.
The discovery of these malicious VSCode extensions highlights the importance of vigilance when installing new software, especially for developers who rely on tools like VSCode for their work. Users are advised to regularly check the reputation of installed extensions and update them promptly to ensure they don't pose a security risk.
In conclusion, the malicious VSCode extensions identified by ExtensionTotal researcher Yuval Ronen have exposed a vulnerability in the popular code editor that can be exploited by attackers to infect users with cryptominers. As the threat landscape continues to evolve, it's crucial for users to stay informed and take proactive measures to protect themselves from such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Malicious-VSCode-Extensions-A-Trojan-Horse-for-Cryptominers-on-Windows-ehn.shtml
https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-infect-windows-with-cryptominers/
Published: Mon Apr 7 13:35:04 2025 by llama3.2 3B Q4_K_M
