Menu
Dark Mode
Cybersecurity

VS Code Marketplace Infested With Stealth Malware in Disguise

Security researchers exposed two malicious VS Code extensions masquerading as a dark theme and AI coding assistant. These extensions deployed advanced infostealer malware capable of hijacking browser sessions, draining cryptocurrency wallets, and capturing system data without user awareness.

Evan Mael
Evan Mael Author
Dec 09, 2025
6 min read min read
Published December 09, 2025
Reading time 6 min read minutes
Category Cybersecurity

Introduction

On December 8, 2025, security researchers at Koi Security disclosed a sophisticated supply chain attack targeting Visual Studio Code developers worldwide. Two extensions in Microsoft's official VS Code Marketplace—Bitcoin Black and Codo AI—contained hidden infostealer malware designed to systematically extract sensitive credentials, cryptocurrency holdings, and authenticated browser sessions from developer machines. Published under a developer account named "BigBlack," these trojanized tools represent a troubling evolution in marketplace-based supply chain compromises, arriving just months after other high-profile extension-based campaigns exposed the fragility of trust in open development ecosystems.

What Happened: Two Trojanized Extensions Discovered in Microsoft's Marketplace

The discovery emerged from Koi Security's threat intelligence operations, which flagged an unusual pattern of suspicious behavior in two seemingly legitimate VS Code extensions. The first extension, Bitcoin Black, presented itself as a minimalist dark color theme designed to reduce eye strain during extended coding sessions. The second, Codo AI, offered what appeared to be a genuine artificial intelligence coding assistant, complete with real integration to ChatGPT and DeepSeek APIs—features that lent credibility to the malicious payload hidden beneath.

What made these extensions particularly deceptive was their partial functionality. Bitcoin Black did function as a theme, while Codo AI genuinely provided AI-assisted code completion. This hybrid approach—mixing legitimate features with malicious code—represents an effective obfuscation technique that could bypass both automated security checks and human scrutiny from casual users browsing the marketplace.

At the time of the disclosure, Bitcoin Black had recorded only a single installation, while Codo AI had accumulated fewer than thirty downloads. Despite the limited reach, the threat actor's infrastructure suggests a capability for rapid distribution if the extensions had remained undetected for longer periods. Microsoft removed both extensions from the marketplace immediately upon notification, preventing further compromise of developer environments.

Technical Analysis: How the Malware Operated and Evolved

The malicious payload within each extension relied on a sophisticated multi-stage deployment mechanism that evolved across different versions, suggesting active refinement by the threat actor based on detection feedback.

Activation and Execution Framework

Bitcoin Black employed what security researchers call an "onModuleActivation" trigger—a VS Code system event that fires whenever a developer performs virtually any action within the editor. This allowed the malware to execute its payload seamlessly and repeatedly without raising suspicion, since the extension appeared to be behaving normally in response to legitimate user activity.

Deployment Technique: From Visible to Invisible

Early versions of Bitcoin Black launched a visible PowerShell window, a critical operational security failure that could alert security-conscious developers to the malicious activity. The threat actor subsequently refined the approach by switching to a batch script (BAT file) that invoked curl commands to silently download external payloads without displaying any visible window or system notification. This demonstrated active iteration and adaptation—hallmarks of a threat actor actively defending against detection.

DLL Hijacking and Legitimate Binary Abuse

The downloaded payload consisted of two files: a legitimate copy of Lightshot (a popular screenshot utility) and a malicious dynamic-link library (DLL). By exploiting a technique called DLL hijacking, the malware forced the legitimate Lightshot executable to automatically load the infected library instead of the authentic one, thereby executing the infostealer without detection by security software looking for unsigned or obviously malicious binaries.

According to VirusTotal data, the malicious DLL was detected by 29 out of 72 antivirus engines at the time of analysis—a detection ratio sufficient for security platforms but insufficient to prevent distribution through less-monitored deployment vectors.

Data Harvesting Operations

Once active, the infostealer established a staging directory named "Evelyn" in the user's AppData\Local folder. This directory served as a collection point for stolen information before exfiltration, including running process lists, clipboard contents, saved WiFi credentials, system configuration data, installed software inventories, and full-screen screenshots.

Browser Session and Cryptocurrency Targeting

The malware's most aggressive functions targeted two high-value data categories. For browser compromise, it launched Google Chrome and Microsoft Edge in headless mode—invisible background processes with no visible window—to extract stored cookies and hijack authenticated sessions without user knowledge. This technique granted attackers immediate access to services where the developer maintained active logins: GitHub repositories, cloud infrastructure dashboards, internal corporate systems, and SaaS applications.

For cryptocurrency theft, the malware specifically scanned for popular self-custody wallets including Phantom, Metamask, and Exodus, attempting to siphon balances or seed phrases that would grant complete wallet control.

Impact and Business Implications: Why Developers Should Care

This incident exposes critical vulnerabilities in how developer-focused supply chains operate and where trust is misplaced within open-source and extension ecosystems.

Immediate Threat Scope

Developers working with Visual Studio Code represent one of the largest user bases in software development globally. VS Code's extension architecture—while powerful and flexible—creates an attractive target for threat actors because a single malicious extension can compromise an entire developer environment, granting access to source code repositories, deployment credentials, and cryptocurrency holdings simultaneously.

Supply Chain Multiplier Effect

A compromised developer machine doesn't represent an isolated incident. Once attackers gain access, they can modify project files, inject backdoors into version-controlled codebases, exfiltrate source code to competitors, or manipulate builds before deployment. A single developer compromise can ripple across an entire organization's infrastructure and customer base.

This incident follows a series of similarly sophisticated campaigns discovered throughout 2025. Koi Security previously reported GlassWorm—described as the first self-propagating worm in VS Code extensions, which affected 35,800 developer installations and deployed remote access tools on developer machines. The TigerJack campaign similarly deployed 11 malicious extensions targeting code theft and cryptocurrency mining. This pattern suggests threat actors have optimized supply chain compromise techniques to scale and persist within open extension ecosystems.

Detection Challenges

Traditional endpoint security tools struggle to flag these extensions as malicious because the extensions request minimal permissions upfront, execute gradually, and masquerade as legitimate development tools. The vast majority of developers install extensions without reviewing their source code or sandboxing their behavior.

Expert Analysis: The Broader Landscape of Marketplace Compromises

The Bitcoin Black and Codo AI incident reflects a fundamental asymmetry in the extension marketplace ecosystem: verification requirements and security gates remain minimal, while the trust placed in developers by the ecosystem is absolute.

Microsoft's VS Code Marketplace lacks mandatory code review, security scanning, or publisher verification requirements comparable to those enforced by mobile app stores. A developer account can be created and extensions published within minutes, with no verification of identity or security audit before reaching millions of potential users. In contrast, Apple's App Store and Google Play require human review, code signing, and publisher identity verification—protections notably absent from code-focused marketplaces.

The incident also highlights a persistent challenge in open-source security: distinguishing between legitimate functionality and malicious payload. Both Bitcoin Black and Codo AI provided genuine features, making it harder for users to identify the hidden components. This hybrid-payload approach bypasses behavioral analysis and makes it impossible for users to quarantine functionality based on "obvious" malicious behavior.

Furthermore, the automatic update mechanism in VS Code—which silently updates extensions by default—creates an attack vector where extensions can remain benign during initial installation and then deploy malicious code only after an update. Users never receive notification or consent for the update that transforms their trusted tool into a trojan.

Protecting Your Developer Environment: Immediate Actions and Long-Term Strategy

Developers and security teams can reduce exposure to extension-based compromises through a combination of immediate hardening measures and architectural changes.

Immediate Steps

1. Audit Installed Extensions
Review all currently installed VS Code extensions against threat intelligence feeds. Cross-reference your installed extensions against published lists of known-malicious extensions, and remove anything published by unfamiliar or single-purpose developers.

2. Disable Auto-Update
Disable automatic extension updates in VS Code settings, and implement a manual review process before updating any extension. This creates a speed bump that allows threat intelligence to catch malicious updates before they propagate.

3. Restrict Browser Access
Since this malware specifically targeted browser cookies and sessions, implement browser isolation or container-based browsing when working with sensitive systems. Use separate browser profiles for development work, banking, and cryptocurrency interactions.

4. Monitor Clipboard Activity
The infostealer specifically targeted clipboard content. Be cautious when copying sensitive information like API keys, tokens, or private keys into your development environment, and consider using clipboard managers with encryption.

Long-Term Architectural Recommendations

Organizations should implement mandatory extension allowlisting policies, permitting only pre-approved extensions from verified publishers. This approach converts the default-trust model into a default-deny model, significantly reducing exposure to zero-day extension compromises.

Security teams should also evaluate sandboxing solutions that isolate VS Code and the development environment from broader network access, limiting lateral movement if a compromised extension does gain execution.

Conclusion

The Bitcoin Black and Codo AI incident demonstrates that marketplace-based supply chain attacks are evolving faster than detection and prevention mechanisms can adapt. Both extensions have been removed from the Microsoft VS Code Marketplace, but their discovery underscores a critical vulnerability: open extension ecosystems remain fundamentally susceptible to trojanized tools disguised as legitimate functionality.

Developers must recognize that installing an extension is equivalent to granting execution privileges to untrusted code with access to their entire development environment. While convenience and functionality drive adoption of new tools, security vigilance during installation—combined with organizational policies enforcing extension review and sandboxing—remains the most effective defense against future marketplace-based compromises.

The security community continues to uncover new malicious extensions and campaigns, suggesting that defenders will encounter escalating threats. Organizations should treat developer environment security as a critical supply chain control point, equivalent to source code security and build pipeline integrity.

Sources

  • BleepingComputer: "Malicious VSCode extensions on Microsoft's registry drop infostealers" (December 8, 2025)
  • IT-Connect: "Visual Studio Code : 2 extensions volent vos données avec un infostealer" (2025)
  • Koi Security: Official threat analysis and disclosure report on Bitcoin Black and Codo AI extensions (2025)
  • Veracode Security Blog: "GlassWorm: The First Self-Propagating VS Code Extension Worm" (October 22, 2025)
Tags
Cybersecurity
About the Author
Evan Mael
Evan Mael

IT consultant specializing in cloud infrastructure and Microsoft 365 modernization, focusing on Zero Trust architecture, intelligent automation, and enterprise resilience across AI, cybersecurity, and digital transformation.

View all posts →

Related Articles

More from this category