- Malicious extensions disguised as developer tools were found in the Microsoft Visual Studio Code Marketplace.
- The extensions stole sensitive data such as WiFi passwords, clipboard contents, screenshots, and browser sessions.
- Malware used advanced techniques like DLL hijacking and headless browser sessions to extract information.
- Microsoft removed several infected extensions from its Marketplace promptly after detection.
- Additional malicious packages were discovered in the Go, npm, and Rust ecosystems targeting developers.
Cybersecurity researchers uncovered two malicious extensions in the Microsoft Visual Studio Code (VS Code) Marketplace that infected developer machines with stealer malware. These extensions appeared as a premium dark theme and an Artificial Intelligence coding assistant but secretly downloaded further payloads, captured screenshots, and siphoned sensitive data. The stolen information was transmitted to a server controlled by attackers.
The infected extensions—named BigBlack.Bitcoin-black with 16 installs and BigBlack.codo-ai with 25 installs—were removed by Microsoft in early December 2025. A third related package, BigBlack.mrbigblacktheme, was also removed for containing malware according to Microsoft’s list of removed Marketplace extensions. As stated by Idan Dardikman from Koi Security, “Your code. Your emails. Your Slack DMs. Whatever’s on your screen, they’re seeing it too.” The malware additionally compromised WiFi credentials, clipboard data, and hijacked browser sessions.
Initial versions executed PowerShell scripts to download a password-protected ZIP archive from an external source (syn1112223334445556667778889990[.]org), extracting the main payload using methods like Windows native tools and 7-Zip. Later versions concealed these activities by hiding the PowerShell window and switched to batch scripts that utilized curl to download an executable and DLL.
The malware loaded a genuine Lightshot screen capture binary that then loaded a malicious “Lightshot.dll” via DLL hijacking. This DLL collected clipboard contents, lists of installed applications and processes, desktop screenshots, saved WiFi credentials, and detailed system information. It also launched Google Chrome and Microsoft Edge browsers in headless mode to extract stored cookies and hijack user sessions, as described here.
Separately, the firm Socket identified malicious packages targeting popular programming ecosystems: two Go packages impersonating trusted UUID libraries that exfiltrate data to a paste site called dpaste when specific functions are invoked; over 400 npm packages bearing the prefix “elf-stats-,” with some enabling reverse shells and data exfiltration; and a Rust crate named finch-rust that masquerades as a legitimate bioinformatics tool while loading a credential-stealing payload called sha-rust. Socket researcher Kush Pandya explained, “Finch-rust acts as a malware loader… finch-rust looks benign in isolation, while sha-rust contains the actual malware.” More details on these threats are available through Socket’s reports, npm findings, and Rust crate analysis.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Bernstein Predicts Bitcoin Rally to $150K, Breaking 4-Year Cycle
- Zcash Proposes Dynamic Fee Market to Tackle Rising Transaction Costs
- JPMorgan’s Dimon Embraces Blockchain, Shifts Crypto View
- San Jose Widow Loses $1M in Crypto Romance Scam Warned by ChatGPT
- OCC Head: Crypto Banks Should Get Same Federal Charter as Others
