Malicious VS Code Extensions from Microsoft Cause Cryptojacking Activity
In a recent development, researchers from ExtensionTotal have uncovered a series of malicious extensions in the Visual Studio Code (VS Code) marketplace. At least nine such extensions were uploaded, with the most popular one, 'Discord Rich Presence,' managing to gain 189,000 installs alone.
The artificially inflated install counts of these extensions suggest they were made to appear widely trusted and actively used. Seven of these malicious extensions were uploaded by an author named 'Mark H.', while another was uploaded by 'evaera'. Notably, the final extension, 'Solidity Compiler', was published by VSCode Developer.
The malicious extensions, part of a large-scale, sophisticated cryptojacking campaign, were found to contain the exact same malicious code. They communicated with the same Command-and-Control (C2) server and downloaded the same malicious payload, indicating they originated from the same source.
The payload, in this case, was a PowerShell script that secretly installed an XMRig cryptominer from a remote C2 server. XMRig is a popular, open-source cryptocurrency mining software used for mining Monero (XMR) and other cryptocurrencies that use the RandomX or Cryptonight algorithms.
The threat group responsible for this campaign has been identified as WhiteCobra, which deployed 24 malicious extensions targeting developers and cryptocurrency users on Microsoft’s Visual Studio Marketplace and the Open VSX Registry.
Microsoft has responded to the report of the malicious extensions, and users can report suspicious extensions on the VS Marketplace website using the 'Report a concern' button or by emailing '[email protected]' directly.
This article was updated on April 8 to add Microsoft's response. The discovery of these malicious extensions underscores the vulnerability in the extension ecosystem's trust metrics, which is being actively exploited by attackers.
It is also worth mentioning a separate incident involving the development of Google Chrome Infostealers by GenAI tools, which, while not directly related to the VS Code malicious extensions, serves as a reminder of the ongoing threats in the digital realm.
Read also:
- Trump announces agreement with Chinese authorities on TikTok deal
- Quantum Computing Market in the Automotive Sector Forecast to Expand to $6,462.13 Million by 2034
- Texas finalizes 1.8 billion dollars for the construction of solar, battery, and gas-fueled mini-grids
- List of 2025's Billionaire Video Game Moguls Ranked by Fortune
