Cybersecurity researchers have discovered two new extensions on Microsoft Visual Studio Code (VS Code) Marketplace that are designed to infect developer machines with stealer malware.
The VS Code extensions masquerade as a premium dark theme and an artificial intelligence (AI)-powered coding assistant, but, in actuality, harbor covert functionality to download additional payloads, take screenshots, and siphon data. The captured information is then sent to an attacker-controlled server.
“Your code. Your emails. Your Slack DMs. Whatever’s on your screen, they’re seeing it too,” Koi Security’s Idan Dardikman said. “And that’s just the start. It also steals your WiFi passwords, reads your clipboard, and hijacks your browser sessions.”
The names of the extensions are below –
- BigBlack.bitcoin-black (16 installs) – Removed by Microsoft on December 5, 2025
- BigBlack.codo-ai (25 installs) – Removed by Microsoft on December 8, 2025
Microsoft’s list of removed extensions from the Marketplace shows that the company also removed a third package named “BigBlack.mrbigblacktheme” from the same publisher for containing malware.
While “BigBlack.bitcoin-black” activates on every VS Code action, Codo AI embeds its malicious functionality within a working tool, thereby allowing it to bypass detection.
Earlier versions of the extensions came with the ability to execute a PowerShell script to download a password-protected ZIP archive from an external server (“syn1112223334445556667778889990[.]org”) and extract from it the main payload using four different methods: Windows native Expand-Archive, .NET System.IO.Compression, DotNetZip, and 7-Zip (if installed).
That said, the attacker is said to have inadvertently shipped a version that created a visible PowerShell window and could have alerted the user. Subsequent iterations, however, have been found to hide the window and streamline the entire process by switching to a batch script that uses a curl command to download the executable and DLL.
The executable is the legitimate Lightshot binary that’s used to load the rogue DLL (“Lightshot.dll”) via DLL hijacking, which proceeds to gather clipboard contents, a list of installed apps, running processes, desktop screenshots, stored Wi-Fi credentials, and detailed system information. It also launches Google Chrome and Microsoft Edge in headless mode to grab stored cookies and hijack user sessions.
“A developer could install what looks like a harmless theme or a useful AI tool, and within seconds their WiFi passwords, clipboard contents, and browser sessions are being exfiltrated to a remote server,” Dardikman said.
The disclosure comes as Socket said it identified malicious packages across the Go, npm, and Rust ecosystems that are capable of harvesting sensitive data –
- Go packages named “github[.]com/bpoorman/uuid” and “github[.]com/bpoorman/uid” that have been available since 2021 and typosquat trusted…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
