Malicious crypto-stealing VSCode extensions resurface on OpenVSX

Malicious Visual Studio Code (VSCode) extensions designed to steal cryptocurrency have reappeared on the OpenVSX marketplace, raising significant security concerns among developers and users. These extensions, disguised as legitimate tools, are engineered to intercept and exfiltrate crypto wallet information, posing a direct threat to digital asset security. The resurgence of these harmful extensions highlights the ongoing challenges in securing open-source software repositories and the critical need for vigilant code review and user awareness. OpenVSX, an alternative to the official VSCode marketplace, has become a target for threat actors aiming to exploit its less stringent vetting processes. This incident underscores the importance of implementing robust security measures, including multi-factor authentication and regular extension audits, to mitigate risks associated with third-party software. Developers are urged to verify the authenticity of extensions and monitor for unusual activity to protect their assets. The cybersecurity community continues to emphasize education and proactive defense strategies to combat the evolving tactics of cybercriminals exploiting popular development tools. This event serves as a reminder that even trusted platforms can be compromised, necessitating continuous vigilance and improved security protocols to safeguard user data and digital currencies.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 14 Oct 2025 21:40:09 +0000

Cyber News related to Malicious crypto-stealing VSCode extensions resurface on OpenVSX

The zero-day that could've compromised every Cursor and Windsurf user - In a recent post Yomtom explains that while examining the build process behind OpenVSX, the open-source marketplace powering extensions for tools like Cursor, Windsurf, VSCodium, and others, he discovered a critical flaw. Dubbed VSXPloit: A single ...
6 months ago Bleepingcomputer.com

VSCode extensions found downloading early-stage ransomware - It is notable that the extensions were uploaded onto the VSCode Marketplace on October 27, 2024 (ahban.cychelloworld) and February 17, 2025 (ahban.shiba), bypassing safety review processes and remaining on Microsoft's store for an extensive ...
10 months ago Bleepingcomputer.com

Malicious crypto-stealing VSCode extensions resurface on OpenVSX - Malicious Visual Studio Code (VSCode) extensions designed to steal cryptocurrency have reappeared on the OpenVSX marketplace, raising significant security concerns among developers and users. These extensions, disguised as legitimate tools, are ...
3 months ago Bleepingcomputer.com

WhiteCobra floods VSCode Market with crypto-stealing extensions - Security researchers have uncovered a new wave of malicious extensions flooding the Visual Studio Code (VSCode) Marketplace, attributed to the WhiteCobra threat group. These extensions are designed to steal cryptocurrency from users by injecting ...
4 months ago Bleepingcomputer.com WhiteCobra

CVE-2025-52882 - Claude Code is an agentic coding tool. Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and VSCodium) and JetBrains IDEs (e.g., IntelliJ, Pycharm, and Android Studio) are vulnerable to unauthorized websocket connections from an ...
7 months ago

VSCode extensions with 9 million installs pulled over security risks - Microsoft has removed two popular VSCode extensions, 'Material Theme – Free' and 'Material Theme Icons – Free,' from the Visual Studio Marketplace for allegedly containing malicious code. One of the researchers, Amit Assaraf, says ...
10 months ago Bleepingcomputer.com

Malicious VSCode extensions infect Windows with cryptominers - Nine VSCode extensions on Microsoft's Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero. If you have installed any of the nine extensions mentioned in the ...
9 months ago Bleepingcomputer.com

Glassworm malware returns on OpenVSX with 3 new VSCode extensions - The Glassworm malware has resurfaced on the OpenVSX marketplace, disguised within three new Visual Studio Code (VSCode) extensions. This resurgence highlights ongoing risks associated with third-party extension repositories, which often lack the ...
2 months ago Bleepingcomputer.com

CVE-2025-12194 - Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All (API modules), Legion of the Bouncy Castle Inc. Bouncy Castle for Java LTS bcprov-lts8on on All (API modules) allows ...
3 months ago

Cyble Discovers Cyberattack Using VSCode For Remote Access - Cyble Research and Intelligence Lab (CRIL) researchers have uncovered a sophisticated campaign that starts with a suspicious .LNK file and uses Visual Studio Code (VSCode) to establish persistence and remote access – and installs the VSCode command ...
1 year ago Thecyberexpress.com

Microsoft apologizes for removing VSCode extensions used by millions - Microsoft has reinstated the 'Material Theme – Free' and 'Material Theme Icons – Free' extensions on the Visual Studio Marketplace after finding that the obfuscated code they contained wasn't actually malicious. According to Astorino, the ...
10 months ago Bleepingcomputer.com

Feds Seize 'Sinbad' Crypto Mixer Used by North Korea's Lazarus - In its continued efforts to crack down on North Korea's most formidable state-sponsored threat group, the US government has seized a virtual currency mixer that has been serving as the principal way the group launders money stolen from its ...
2 years ago Darkreading.com Lazarus Group

CVE-2022-50231 - In the Linux kernel, the following vulnerability has been resolved: ...
7 months ago

Fake VPN Chrome extensions force-installed 1.5 million times - Three malicious Chrome extensions posing as VPN infected were downloaded 1.5 million times, acting as browser hijackers, cashback hack tools, and data stealers. According to ReasonLabs, which discovered the malicious extensions, they are spread via ...
2 years ago Bleepingcomputer.com

Over 6 Million Chrome Extensions Can Execute Remote Commands on Users’ Browsers - A major security incident has come to light involving more than six million installations of Chrome browser extensions that secretly execute remote commands, track user activity, and potentially expose sensitive information. John Tuckner of secure ...
9 months ago Cybersecuritynews.com

Google Takes Down Over 50,000 Instances of Malicious Chrome Extensions - Google recently took down over 50,000 Chrome browser extensions after discovering that they were involved in malicious activity. The malicious activity included advertising click fraud, downloading malware, and displaying adware. According to Google, ...
2 years ago Thehackernews.com

Developers Beware of Malicious VS Code Extension Apps With Million of Installations - Cybersecurity researchers have uncovered a disturbing campaign targeting software developers through malicious Visual Studio Code extensions that have collectively amassed millions of installations. These compromised extensions, masquerading as ...
9 months ago Cybersecuritynews.com

The Week in Ransomware - January 20th, 2023 Crypto Exchanges Under Attack - The week of January 20th, 2023 brought yet another wave of ransomware attacks targeting crypto exchanges. Crypto exchanges all around the world have been hit by a barrage of sophisticated and well-planned ransomware campaigns. From high-profile ...
3 years ago Bleepingcomputer.com

Fake Madgicx Plus and SocialMetrics Pro Chrome Extensions Found Stealing Facebook Credentials - Cybersecurity researchers have uncovered a new phishing campaign involving fake Chrome extensions named Madgicx Plus and SocialMetrics Pro. These malicious extensions are designed to steal Facebook credentials from unsuspecting users by mimicking ...
4 months ago Thehackernews.com

Netgear, Hyundai latest X accounts hacked to push crypto drainers - The official Netgear and Hyundai MEA Twitter/X accounts are the latest hijacked to push scams designed to infect potential victims with cryptocurrency wallet drainer malware. While Hyundai has already regained access to their account and has cleaned ...
2 years ago Bleepingcomputer.com

Malicious Chrome VPN Extensions Installed 1.5M Times Browsers - In a recent cybersecurity revelation, a highly sophisticated cyber attack campaign has emerged, weaving a web of deceit through malicious web extensions cunningly disguised as VPNs. ReasonLabs, a cybersecurity firm, has discovered online piracy ...
2 years ago Cybersecuritynews.com

12 Malicious Extensions Found in VSCode Marketplace: A Security Alert - The Visual Studio Code (VSCode) marketplace recently faced a significant security threat with the discovery of 12 malicious extensions. These extensions, designed to appear legitimate, were found to contain harmful code capable of compromising user ...
2 months ago Cybersecuritynews.com

Web3 security firm CertiK's X account hacked to push crypto drainer - The Twitter/X account of blockchain security firm CertiK was hijacked today to redirect the company's more than 343,000 followers to a malicious website pushing a cryptocurrency wallet drainer. Crypto fraud sleuth ZachXBT later leaked screenshots of ...
2 years ago Bleepingcomputer.com

Chrome extensions with 6 million installs have hidden tracking code - While Tuckner didn't catch any extensions stealing user passwords or cookies, the excessively risky capabilities, heavily obfuscated code, and hidden logic were enough for the researcher to label them as risky and, potentially, spyware. A set of 57 ...
9 months ago Bleepingcomputer.com

SquareX Unveils Polymorphic Extensions that Morph Infostealers into Any Browser Extension - Password Managers, Wallets at Risk - In addition to the polymorphic attack, SquareX was also the first to discover and disclose multiple extension-based attacks, including Browser Syncjacking, the Chrome Store consent phishing attack leading to Cyberhaven’s breach and numerous other ...
10 months ago Cybersecuritynews.com