Ethical Hacking News
Malicious VSCode extensions have been discovered that can infect machines with information-stealing malware, compromising sensitive data such as screenshots, credentials, cryptocurrency wallets, and hijacked browser sessions. These extensions masquerade as legitimate themes and AI assistants and were published under the developer name 'BigBlack.' Developers must remain vigilant when installing new extensions and take steps to protect themselves against these types of threats.
Malicious VSCode extensions have been discovered that can infect machines with information-stealing malware. Two malicious extensions, Bitcoin Black and Codo AI, were found masquerading as legitimate themes and AI assistants. The malicious extensions can steal sensitive data such as screenshots, credentials, cryptocurrency wallets, and hijacked browser sessions. Developers should exercise caution when installing new extensions, especially those with unusual permissions or functionality. Installing from reputable publishers, regular updates, and scanning tools can minimize the risks of malicious VSCode extensions.
Microsoft's Visual Studio Code (VSCode) Marketplace has become a breeding ground for malicious extensions, posing significant security risks to developers. Two malicious extensions, Bitcoin Black and Codo AI, have been discovered that can infect machines with information-stealing malware, compromising sensitive data such as screenshots, credentials, cryptocurrency wallets, and hijacked browser sessions.
These malicious extensions masquerade as legitimate themes and AI assistants, respectively, and were published under the developer name 'BigBlack.' At the time of writing, Codo AI was still present in the marketplace, although it counted fewer than 30 downloads. Bitcoin Black's counter showed only one install. This discrepancy highlights the importance of developers exercising caution when installing extensions from unknown sources.
According to Koi Security, the Bitcoin Black malicious extension features a "*" activation event that executes on every VSCode action. It can also run PowerShell code, which is unusual for a theme and should raise red flags. In older versions, Bitcoin Black used a PowerShell script to download a password-protected archived payload, which created a visible PowerShell window and could have warned the user.
However, in more recent versions, the process switched to a batch script (bat.sh) that calls 'curl' to download a DLL file and an executable, with the activity occurring with the window hidden. This change highlights the tactics used by malicious actors to evade detection.
Idan Dardikman of Koi Security notes that Codo AI has code assistance functionality via ChatGPT or DeepSeek, but also includes a malicious section. Both extensions deliver a legitimate executable of the Lightshot screenshot tool and a malicious DLL file that is loaded via the DLL hijacking technique to deploy the infostealer under the name runtime.exe.
The malicious DLL is flagged as a threat by 29 out of the 72 antivirus engines on Virus Total, according to the researcher. The malware creates a directory in '%APPDATA%\Local\' and creates a directory called Evelyn to store stolen data: details about running processes, clipboard content, WiFi credentials, system information, screenshots, a list of installed programs, and running processes.
To steal cookies and hijack user sessions, the malware launches the Chrome and Edge browsers in headless mode so it can snatch stored cookies and hijack user sessions. The malware also steals cryptocurrency wallets like Phantom, Metamask, Exodus. It looks for passwords and credentials and adds them to the Evelyn directory.
Developers can minimize the risks of malicious VSCode extensions by installing projects only from reputable publishers. This can be achieved through regular updates and scanning tools that detect known threats. Additionally, developers should exercise caution when installing new extensions, especially those with unusual permissions or functionality.
In conclusion, the presence of malicious VSCode extensions on Microsoft's registry drop infostealers poses a significant threat to developer security. These extensions, disguised as legitimate themes and AI assistants, can infect machines with information-stealing malware, compromising sensitive data. Developers must remain vigilant when installing new extensions and take steps to protect themselves against these types of threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Malicious-VSCode-Extensions-on-Microsofts-Registry-Drop-Infostealers-A-Threat-to-Developer-Security-ehn.shtml
https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-on-microsofts-registry-drop-infostealers/
Published: Mon Dec 8 16:35:08 2025 by llama3.2 3B Q4_K_M
