Beware Malicious VS Code Extensions Stealing Data
▼ Summary
– Two malicious VS Code extensions, Bitcoin Black and Codo AI, were discovered stealing data like screenshots, browser sessions, and stored credentials.
– The extensions used social engineering, disguising themselves as a cryptocurrency theme and a functional AI coding assistant to deliver a stealthy infostealer.
– The attack evolved through versions, with the delivery method refined from a complex PowerShell routine to a more streamlined hidden batch script.
– The malware employed DLL hijacking, pairing a legitimate Lightshot executable with a malicious DLL to run under a trusted guise.
– While Microsoft removed the extensions, the incident highlights the expanding attack surface of developer tools, with one extension still live at the time of the report.
Cybersecurity experts have uncovered a dangerous new threat targeting software developers. A pair of malicious extensions for the popular Visual Studio Code editor, named Bitcoin Black and Codo AI, were found to be actively stealing sensitive user data. These tools, which were available on the official VS Code marketplace, employed a clever mix of social engineering and technical trickery to deploy a powerful information-stealing payload.
The campaign is notable for its sophisticated packaging. Bitcoin Black disguised itself as a simple cryptocurrency-themed color scheme, while Codo AI posed as a legitimate AI coding assistant with real ChatGPT and DeepSeek integration. This functional facade helped the malicious tool avoid immediate suspicion. Beneath the surface, however, both extensions executed hidden scripts. These scripts downloaded a payload by bundling a legitimate version of the Lightshot screenshot application with a malicious DLL file.
Researchers from Koi Security noted that Bitcoin Black exhibited activation events and PowerShell execution highly unusual for a simple theme. The more advanced Codo AI extension provided actual coding features, making its malicious activity even harder to detect during normal use. The team analyzed several versions of the extensions, observing rapid evolution in the attacker’s methods. An early version used a complex PowerShell routine to download a password-protected archive. A later, more streamlined version employed a hidden batch script to fetch an executable and DLL directly, using a marker file to prevent repeated execution on the same system.
The information stolen by this malware was extensive and deeply invasive. The infostealer harvested clipboard contents, lists of installed programs and running processes, desktop screenshots, stored WiFi credentials, and critical browser session data. This gave attackers access to a vast array of personal and professional information from an infected developer’s machine.
The payload’s execution relied on a technique known as DLL hijacking. By pairing a legitimate Lightshot executable with their own malicious DLL, the attackers could run their code under the cover of a trusted application. Koi Security also identified the command-and-control servers set up to receive the stolen data and a specific mutex used to prevent multiple instances of the malware from conflicting on a single host.
Both extensions are believed to be the work of a single threat actor testing different lures. A developer could easily install what appears to be a harmless theme or a useful productivity tool, only to have their passwords, clipboard data, and browser sessions silently transmitted to a remote server within moments. Microsoft has confirmed the malicious extensions have been removed from the marketplace to protect users. This incident underscores a growing trend where attackers are increasingly focusing on the expanding attack surface presented by developer tools and ecosystems.
(Source: InfoSecurity Magazine)
