CyberSecurity news
FlagThis
@blog.extensiontotal.com
//
Multiple malicious Visual Studio Code (VSCode) extensions have been identified, posing a significant threat to developers. Discovered on April 4, 2025, these extensions, found on the Microsoft VSCode Marketplace, masquerade as legitimate development tools. They include names such as "Discord Rich Presence" and "Rojo – Roblox Studio Sync" and operate by surreptitiously downloading and executing a PowerShell script. This script then disables Windows security features, establishes persistence through scheduled tasks, and installs the XMRig cryptominer, designed to mine Ethereum and Monero, all without the user's knowledge.
The attack employs a sophisticated multi-stage approach. Once installed, the malicious extensions download a PowerShell loader from a remote command-and-control (C2) server. This loader then disables security services to evade detection and deploys the XMRig cryptominer to exploit the victim's system resources for cryptocurrency mining. Notably, the attackers even install legitimate versions of the extensions they impersonate, a tactic designed to maintain the appearance of normalcy and prevent users from suspecting any malicious activity, further highlighting the deceptive nature of this campaign. Researchers at ExtensionTotal uncovered the malicious extensions and noted many had artificially inflated install counts designed to reduce suspicion.
This incident underscores the growing threat of supply chain attacks targeting development environments. By exploiting vulnerabilities in the VSCode Marketplace, malicious actors can distribute malware to a wide range of developers. The fact that these extensions were able to bypass Microsoft's safety review processes raises concerns about the security of the marketplace. Users are strongly advised to exercise caution when installing VSCode extensions, carefully reviewing publisher details and extension permissions before installation. This serves as a reminder of the importance of robust security measures and constant vigilance to protect against evolving cyber threats.
ImgSrc: www.csoonline.c
References :
The attack employs a sophisticated multi-stage approach. Once installed, the malicious extensions download a PowerShell loader from a remote command-and-control (C2) server. This loader then disables security services to evade detection and deploys the XMRig cryptominer to exploit the victim's system resources for cryptocurrency mining. Notably, the attackers even install legitimate versions of the extensions they impersonate, a tactic designed to maintain the appearance of normalcy and prevent users from suspecting any malicious activity, further highlighting the deceptive nature of this campaign. Researchers at ExtensionTotal uncovered the malicious extensions and noted many had artificially inflated install counts designed to reduce suspicion.
This incident underscores the growing threat of supply chain attacks targeting development environments. By exploiting vulnerabilities in the VSCode Marketplace, malicious actors can distribute malware to a wide range of developers. The fact that these extensions were able to bypass Microsoft's safety review processes raises concerns about the security of the marketplace. Users are strongly advised to exercise caution when installing VSCode extensions, carefully reviewing publisher details and extension permissions before installation. This serves as a reminder of the importance of robust security measures and constant vigilance to protect against evolving cyber threats.
ImgSrc: www.csoonline.c
Share:
References :
- blog.extensiontotal.com: reports on a VSCode extension cryptojacking campaign.
- Secure Bulletin: reports on the malicious VSCode extensions and a growing threat to developers
- The DefendOps Diaries: Discusses safeguarding VSCode and addressing the threat of malicious extensions.
- BleepingComputer: Details how malicious VSCode extensions infect Windows with cryptominers.
- www.csoonline.com: CSOOnline reports the malicious tools.
- securebulletin.com: Malicious VSCode extensions: a growing threat to developers
- bsky.app: Nine VSCode extensions on Microsoft's Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero.
- www.scworld.com: Cryptojacking facilitated by nefarious VS Code extensions
- aboutdfir.com: Malicious VSCode extensions infect Windows with cryptominersÂ
- securityonline.info: Malicious VSCode Extensions Caught Mining Crypto with XMRig
Classification:
- HashTags: #VSCode #Cryptomining #Security
- Company: Microsoft
- Target: Software Developers
- Product: VSCode
- Feature: Cryptojacking
- Malware: XMRig
- Type: Malware
- Severity: High