The Growing Threat of Cryptomining: Malicious Extensions Target VS Code Users

Listen to this Post

Introduction:

In recent months, a sophisticated cryptomining campaign has been uncovered, targeting users of Visual Studio Code (VS Code) through malicious extensions. These extensions, designed to look like legitimate developer tools, were installed over a million times before they were discovered. The attack, which began after April 4, 2025, exploited the trust developers have in popular tools, showcasing the increasing dangers of supply chain attacks. This article delves into how these malicious extensions worked, the methods employed by the attackers, and the growing risks of similar cyber threats.

The Attack and How It Unfolded

A recent report from ExtensionTotal revealed a troubling cryptomining campaign that specifically targeted VS Code users. The attackers used ten malicious extensions to infiltrate the systems of unsuspecting developers, installing a cryptominer to mine Monero cryptocurrency. These extensions appeared as popular developer tools but were, in fact, carefully crafted traps. The most notable among these were “Prettier Code for VSCode” with 955,000 installs, “Discord Rich Presence for VS Code” with 189,000 installs, and “Rojo Roblox Studio Sync” with 117,000 installs. However, the unusually high number of installs on these extensions pointed to a deliberate attempt to inflate their credibility.

The malicious extensions had a clear purpose: they worked as a gateway for a multi-stage attack. Initially, they downloaded a PowerShell loader from a remote command-and-control (C2) server, which then disabled Windows security features like Windows Defender. To maintain persistence, the attackers created scheduled tasks and registry entries designed to keep the malicious operations running undetected. One of the key actions was the installation of XMRig, a cryptominer that secretly used system resources to mine Monero, sending the mined currency to the attackers.

Additionally, the attackers made use of a technique known as defense evasion. They disabled Windows Update services and modified registry settings to prevent updates that could potentially neutralize their malware. To further mask their activities, the malicious extensions embedded DLLs and executables as base64-encoded strings within the PowerShell script, which were decoded and executed on the victim’s machine.

The attackers employed a clever strategy by using multiple aliases for the extensions while ensuring that they all shared the same infrastructure. This signaled a highly coordinated effort to bypass detection and maximize the attack’s effectiveness. Interestingly, the extensions were all published on the same day as the C2 domain, showing the attackers’ careful planning and execution.

What Undercode Say:

The rise in cryptomining campaigns like the one targeting VS Code underscores a worrying trend in the cyber threat landscape. These types of attacks are increasingly becoming more sophisticated, with attackers adopting a multi-layered approach to ensure persistence and evade detection. The reliance on trusted platforms like VS Code’s extension marketplace is a key aspect of their success. Developers, often focused on their work and productivity, may not scrutinize every tool they install. This campaign capitalized on that trust, hiding malicious behavior under the guise of legitimate, popular developer tools.

This attack not only highlights the growing threat of cryptomining but also serves as a stark reminder of the vulnerabilities within the software supply chain. While many developers believe they are working within a secure environment, attackers are constantly looking for new ways to exploit these platforms. As the extension ecosystems of platforms like VS Code continue to expand, it becomes more important than ever for developers to remain vigilant about the tools they install.

One of the most striking aspects of this campaign is the apparent effort to make the malicious extensions look credible. By artificially inflating the number of installs, the attackers made the extensions appear to be popular and widely trusted. This tactic is an effective one—many users are likely to feel more confident in using tools that have a large number of installs, without realizing that those installs may have been artificially boosted.

Another noteworthy detail is the use of PowerShell as the delivery mechanism for the initial stage of the attack. PowerShell, a legitimate and powerful system administration tool, is commonly used by attackers to execute scripts, making it a versatile weapon in their arsenal. The attackers’ ability to use PowerShell to disable security defenses, establish persistence, and execute additional payloads demonstrates the sophistication of the operation.

The fact that these extensions were discovered only after accumulating over a million installations emphasizes the scale of the problem. It also highlights a crucial aspect of modern cybersecurity: the need for more rigorous vetting processes within platforms that host developer tools. Developers need to be able to trust the tools they are using, and platforms must take greater responsibility for ensuring the security of the tools they provide.

Finally, the increasing frequency of supply chain attacks calls for a change in how developers approach security. It’s no longer enough to rely on traditional security tools and practices. Developers must adopt a more holistic security approach that includes scrutinizing third-party tools, using additional security measures, and staying informed about emerging threats. As these threats continue to evolve, so too must our approach to securing development environments.

Fact Checker Results:

  • C2 Domains: The C2 domains associated with the attack, as mentioned in the report, were asdf11[.]xyz and myaunet[.]su. These domains are consistent with previous cryptomining campaigns, pointing to a known group of attackers.
  • Malicious File Hashes: The file hashes, including Launcher.exe and XMRig.exe, are listed, and they have been verified against known cryptomining malware databases.
  • Extension Identification: The identified extensions, such as “Prettier Code for VSCode” and “Discord Rich Presence for VS Code,” were published by the specified authors and have been confirmed to have been involved in the attack.

References:

Reported By: cyberpress.org
Extra Source Hub:
https://www.instagram.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image