- 860
- 237
Two malicious extensions infecting developers' machines with stealers were discovered on Microsoft's Visual Studio Code marketplace. The malware can take screenshots, steal passwords and cryptocurrency wallets, and hijack browser sessions.
Researchers at Koi Security discovered the malicious extensions Bitcoin Black and Codo AI, which disguise themselves as themes and AI assistants. Both malware programs were published under the name of developer BigBlack. At the time of the researchers' report's publication, Codo AI was still available in the store, although it had fewer than 30 downloads. Bitcoin Black had only one installation.
According to experts, Bitcoin Black uses the "*" activation event, which is triggered by every action in VSCode. The plugin can also run PowerShell code.
In older versions, the extension used a PowerShell script to download a password-protected archive containing the payload. However, this would cause a PowerShell window to pop up, which could alert the user. In newer versions of the malware, the process has moved to a bat script (bat.sh), which calls curl to download a DLL file and an executable .exe file, all in stealth mode. As for Codo AI, the extension can indeed assist the user with code using ChatGPT or DeepSeek, but it also contains a similar malicious component. Both extensions contain a legitimate executable file for the Lightshot utility and a malicious DLL, which is loaded via DLL Hijacking and deploys an infostealer named runtime.exe on the victim's system. Only 29 out of 72 antivirus programs on VirusTotal detect the malicious DLL. On the infected machine, the malware creates a directory in %APPDATA%\Local\ and an Evelyn folder to store stolen data, including information about running processes, clipboard contents, Wi-Fi credentials, system data, screenshots, a list of installed programs, and active processes. To steal cookies and hijack user sessions, the malware launches Chrome and Edge in headless mode, where it retrieves stored cookies and hijacks sessions. Furthermore, the stealer, hidden in extensions, steals data from cryptocurrency wallets like Phantom, Metamask, and Exodus, and searches for passwords and other credentials. Microsoft representatives report that both malicious extensions have already been removed from the VSCode marketplace. @xakep.ru
Researchers at Koi Security discovered the malicious extensions Bitcoin Black and Codo AI, which disguise themselves as themes and AI assistants. Both malware programs were published under the name of developer BigBlack. At the time of the researchers' report's publication, Codo AI was still available in the store, although it had fewer than 30 downloads. Bitcoin Black had only one installation.
According to experts, Bitcoin Black uses the "*" activation event, which is triggered by every action in VSCode. The plugin can also run PowerShell code.
In older versions, the extension used a PowerShell script to download a password-protected archive containing the payload. However, this would cause a PowerShell window to pop up, which could alert the user. In newer versions of the malware, the process has moved to a bat script (bat.sh), which calls curl to download a DLL file and an executable .exe file, all in stealth mode. As for Codo AI, the extension can indeed assist the user with code using ChatGPT or DeepSeek, but it also contains a similar malicious component. Both extensions contain a legitimate executable file for the Lightshot utility and a malicious DLL, which is loaded via DLL Hijacking and deploys an infostealer named runtime.exe on the victim's system. Only 29 out of 72 antivirus programs on VirusTotal detect the malicious DLL. On the infected machine, the malware creates a directory in %APPDATA%\Local\ and an Evelyn folder to store stolen data, including information about running processes, clipboard contents, Wi-Fi credentials, system data, screenshots, a list of installed programs, and active processes. To steal cookies and hijack user sessions, the malware launches Chrome and Edge in headless mode, where it retrieves stored cookies and hijacks sessions. Furthermore, the stealer, hidden in extensions, steals data from cryptocurrency wallets like Phantom, Metamask, and Exodus, and searches for passwords and other credentials. Microsoft representatives report that both malicious extensions have already been removed from the VSCode marketplace. @xakep.ru
