Imagine downloading a simple tool to tweak your code editor's theme, only to have it silently siphon your personal data and crypto assets right under your nose—that's the chilling reality of malicious VSCode extensions hitting the scene. In a world where developers rely on tools like Visual Studio Code (VSCode) to streamline their coding workflows, a new threat has emerged that's as sneaky as it is alarming. But here's where it gets controversial: Could this be a sign that popular marketplaces aren't vetting add-ons as rigorously as they should, leaving the door wide open for cybercriminals?
Let's dive in. According to a recent report from BleepingComputer, two shady extensions named Bitcoin Black and Codo AI have been caught spreading information-stealing malware. These imposters, masquerading as a color theme changer and an AI assistant, were uploaded by an entity calling itself 'Big Black' and have now been yanked from Microsoft's extension marketplace. For beginners wondering what VSCode is, it's a free, open-source code editor developed by Microsoft that's beloved by programmers for its versatility and customization options. Extensions like these are meant to enhance productivity, but in this case, they turned into digital traps.
When users install and run these extensions, they unwittingly trigger the deployment of a couple of nasty components: an executable tied to the Lightshot screenshot tool and a rogue DLL (dynamic link library) file designed to unleash an infostealer. This is the part most people miss—infostealers are a type of malware that covertly harvest sensitive data, like passwords, financial details, and even screenshots of your screen. To put it simply, it's like having an invisible thief rummaging through your digital drawers.
Compounding the issue, this malware has flown under the radar for many security tools. Researchers at Koi Security found it slipped past over 40% of antivirus engines on VirusTotal, a platform that scans files against multiple security products. That's a worrying statistic, highlighting how evolving malware can outsmart even the best defenses. Once inside, the malicious code doesn't waste time—it sets up hidden folders to stash the stolen goods and then fires up browsers like Google Chrome and Microsoft Edge in 'headless' mode. For those new to the term, headless mode means running the browser without a visible window, allowing the malware to automate actions like logging into websites and swiping cookies (small data files that remember your login sessions) or hijacking user sessions.
And the stakes get even higher: It targets popular cryptocurrency wallets such as Phantom, Exodus, and MetaMask, stealing credentials that could lead to draining your digital funds. Cryptocurrency is booming, with millions using wallets to manage assets like Bitcoin and Ethereum, so imagine the panic of waking up to an empty wallet because of a rogue extension download. This isn't just a tech glitch; it's a direct hit on personal finances.
This incident is part of a growing trend where malicious VSCode extensions are weaponized for malware distribution. Take the Glassworm attack campaign, for instance, which recently resurfaced in similar marketplaces like Visual Studio OpenVSX, infecting packages with harmful code. It's a stark reminder that supply chain attacks—where vulnerabilities in trusted tools are exploited—are on the rise in the DevOps world, where software development and operations intersect.
To safeguard against this, experts are strongly advising developers to stick to extensions from verified, trusted publishers. Double-check reviews, publisher credentials, and even run a quick scan with your antivirus before installation. Think of it like buying groceries: You'd verify the source to avoid tainted produce, right? And this is where the controversy heats up—should Microsoft and other platform providers take more blame for not catching these fakes sooner? Is the open nature of extension markets a double-edged sword, fostering innovation but also inviting abuse?
What do you think? Do you feel safe installing extensions from official marketplaces, or has this made you rethink your development tools? Share your thoughts in the comments below—do you agree that stricter vetting is needed, or is there a counterpoint I'm missing? Let's discuss!
DevOps (https://www.scworld.com/topic/devops), Supply chain (https://www.scworld.com/topic/supply-chain)
December 9, 2025
(Credit: MCGORIE – stock.adobe.com)
BleepingComputer (https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-on-microsofts-registry-drop-infostealers/) reports that information-stealing malware has been spread through the malicious VSCode extensions Bitcoin Black and Codo AI, both of which were published by 'Big Black' and have since been removed from the marketplace.
Related
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
