Alert: Malicious VS Code Extensions Target Developers With Stealth Data Theft

Listen to this Post

Featured Image
Visual Studio Code, one of the world’s most popular code editors, has become the latest target for a sophisticated wave of malicious extensions. Cybersecurity researchers have uncovered two extensions, Bitcoin Black and Codo AI, that disguise themselves as helpful developer tools while secretly harvesting sensitive information from users’ systems. These extensions exploit weak Windows registry and process controls, allowing attackers to steal credentials, browser sessions, and even screen captures—all without the user’s knowledge.

Malicious Extensions Masquerading as Legitimate Tools

The Bitcoin Black extension was promoted as a stylish “premium dark theme inspired by Bitcoin,” but beneath its visual appeal lurked dangerous scripts. Unlike legitimate VS Code themes, which are confined to harmless JSON files, Bitcoin Black contained activation events tied to embedded PowerShell scripts. Every time the editor launched, these scripts executed, downloading malicious payloads and probing the system registry for sensitive data such as Wi-Fi passwords.

Codo AI, marketed as an AI coding assistant integrating ChatGPT and DeepSeek, appeared to offer practical functionality but concealed obfuscated JavaScript instructions designed to install a background infostealer. Using DLL hijacking, this method leveraged legitimate Windows-signed binaries to load malicious dynamic link libraries without raising suspicion.

Screen Capture and Session Hijacking

Both extensions incorporated a modified Lightshot screenshot utility bundled with a custom Lightshot.dll. This allowed them to silently capture desktop screenshots, clipboard contents, running processes, and stored Wi-Fi credentials. Additionally, the malware executed Chrome and Edge browsers in hidden “headless” sessions, exfiltrating session cookies and active logins—techniques tracked as MITRE ATT&CK T1539 and T1574.001.

The stolen data was sent to attacker-controlled command-and-control servers, including the domain syn1112223334445556667778889990.org and server09.mentality.cloud:40207. The malware also used a mutex string, COOL_SCREENSHOT_MUTEX_YARRR, ensuring only one instance ran at a time to maintain persistence.

Security researchers at Koi Security observed multiple versions of these extensions, indicating ongoing refinement. Over successive releases, attackers simplified scripts, hid command windows, and introduced checks to prevent re-execution. While Microsoft has removed these extensions from the VS Code Marketplace, Codo AI remained live during early stages of analysis. Developers are urged to review their installed extensions carefully and disable any from the publisher “BigBlack.”

What Undercode Say:

This campaign underscores a disturbing trend: even trusted developer platforms are not immune to sophisticated infostealers. Malicious actors are increasingly targeting the software development ecosystem, recognizing that developers often store valuable credentials, API keys, and session tokens on their machines. The Bitcoin Black and Codo AI campaigns illustrate a layered approach to attack: social engineering via appealing themes or AI tools, combined with stealthy, automated extraction of sensitive data.

DLL hijacking and headless browser sessions are particularly worrying because they exploit legitimate system processes, making detection by traditional antivirus tools difficult. The use of mutexes and hidden execution further enhances persistence and minimizes the risk of accidental discovery. Continuous updates to these extensions also demonstrate a high level of operational sophistication, indicating well-funded and technically adept attackers.

For developers, the takeaway is clear: the perceived trustworthiness of a platform like VS Code cannot be taken for granted. Each installed extension represents a potential attack vector, and rigorous vetting is now essential. Organizations should enforce policies that monitor extension installations, sandbox development environments, and employ endpoint detection systems capable of identifying unusual registry queries, hidden browser sessions, or suspicious DLL loading.

Furthermore, the campaign highlights a broader risk to supply chain security. Threat actors increasingly exploit widely used tools to gain access to multiple targets, leveraging developer machines as initial access points to corporate networks. The combination of aesthetically appealing tools and technical sophistication makes these attacks effective, often eluding casual inspection.

The Bitcoin Black and Codo AI cases also raise questions about the oversight of marketplace vetting processes. While Microsoft acted to remove the extensions once detected, the delay in removal allowed malicious actors a window of opportunity. Continuous monitoring and proactive threat intelligence sharing among the developer community will be key to preventing future incidents.

In short, these attacks are a wake-up call for the global developer ecosystem: trust must be earned, not assumed. Robust operational security, vigilant extension review, and awareness of sophisticated malware tactics are essential in safeguarding developer environments.

🔍 Fact Checker Results:

✅ Bitcoin Black and Codo AI contained malicious scripts targeting VS Code users.
✅ Malware stole credentials, session cookies, and desktop screenshots via DLL hijacking.
❌ There is no evidence that all VS Code extensions pose a risk—only specific ones from “BigBlack.”

📊 Prediction:

Developers can expect a rise in malicious extensions targeting popular IDEs. 🔒
Security platforms may implement stricter vetting and automated scanning for extensions. ⚡
User awareness campaigns will grow, emphasizing verification and sandboxed testing of new developer tools. 💻

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon