CyberSecurityBoard
Sponsor Register Login

Malicious VSCode extensions infect Windows with cryptominers

Nine VSCode extensions on Microsoft's Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero. If you have installed any of the nine extensions mentioned in the ExtensionTotal report, you should remove them immediately and then manually locate and delete the coin miner, scheduled tasks, registry key, and malware directory. ExtensionTotal researcher Yuval Ronen has uncovered nine VSCode extensions published on Microsoft's portal on April 4, 2025. Microsoft VSCode is a popular code editor that allows users to install extensions to extend the program's functionality. These extensions can be downloaded from Microsoft's VSCode Marketplace, an online hub for developers to find and install add-ons. When installed and activated, the malicious extensions fetch a PowerShell script from an external source at ' [.]xyz/' and execute it. If the malware wasn't executed with admin rights, it mimics a system binary (ComputerDefaults.exe) and performs DLL hijacking using a malicious MLANG.dll to elevate privileges and execute the Launcher.exe payload. ExtensionTotal says it reported the malicious extensions to Microsoft, but they are still available at the time of writing. First, it creates a scheduled task disguised as "OnedriveStartup" and injects a script in the Windows Registry to ensure the malware (Launcher.exe) runs at system startup. BleepingComputer has contacted Microsoft about the nine extensions, and we will update this post with their response. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. The malicious PowerShell script performs multiple functions, like disabling defenses, establishing persistence, escalating privileges, and eventually loading the cryptominer. The executable, which comes in base64-encoded form, is decoded by the PowerShell script to connect with a secondary server at myaunet[.]su to download and run XMRig, a Monero cryptocurrency miner.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 07 Apr 2025 17:20:11 +0000


Cyber News related to Malicious VSCode extensions infect Windows with cryptominers

VSCode extensions found downloading early-stage ransomware - It is notable that the extensions were uploaded onto the VSCode Marketplace on October 27, 2024 (ahban.cychelloworld) and February 17, 2025 (ahban.shiba), bypassing safety review processes and remaining on Microsoft's store for an extensive ...
7 months ago Bleepingcomputer.com
Malicious VSCode extensions infect Windows with cryptominers - Nine VSCode extensions on Microsoft's Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero. If you have installed any of the nine extensions mentioned in the ...
7 months ago Bleepingcomputer.com
CVE-2025-52882 - Claude Code is an agentic coding tool. Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and VSCodium) and JetBrains IDEs (e.g., IntelliJ, Pycharm, and Android Studio) are vulnerable to unauthorized websocket connections from an ...
4 months ago
VSCode extensions with 9 million installs pulled over security risks - Microsoft has removed two popular VSCode extensions, 'Material Theme – Free' and  'Material Theme Icons – Free,' from the Visual Studio Marketplace for allegedly containing malicious code. One of the researchers, Amit Assaraf, says ...
8 months ago Bleepingcomputer.com
Cyble Discovers Cyberattack Using VSCode For Remote Access - Cyble Research and Intelligence Lab (CRIL) researchers have uncovered a sophisticated campaign that starts with a suspicious .LNK file and uses Visual Studio Code (VSCode) to establish persistence and remote access – and installs the VSCode command ...
1 year ago Thecyberexpress.com
WhiteCobra floods VSCode Market with crypto-stealing extensions - Security researchers have uncovered a new wave of malicious extensions flooding the Visual Studio Code (VSCode) Marketplace, attributed to the WhiteCobra threat group. These extensions are designed to steal cryptocurrency from users by injecting ...
1 month ago Bleepingcomputer.com WhiteCobra
Microsoft apologizes for removing VSCode extensions used by millions - Microsoft has reinstated the 'Material Theme – Free' and 'Material Theme Icons – Free' extensions on the Visual Studio Marketplace after finding that the obfuscated code they contained wasn't actually malicious. According to Astorino, the ...
7 months ago Bleepingcomputer.com
The zero-day that could've compromised every Cursor and Windsurf user - In a recent post Yomtom explains that while examining the build process behind OpenVSX, the open-source marketplace powering extensions for tools like Cursor, Windsurf, VSCodium, and others, he discovered a critical flaw. Dubbed VSXPloit: A single ...
4 months ago Bleepingcomputer.com
Fake VPN Chrome extensions force-installed 1.5 million times - Three malicious Chrome extensions posing as VPN infected were downloaded 1.5 million times, acting as browser hijackers, cashback hack tools, and data stealers. According to ReasonLabs, which discovered the malicious extensions, they are spread via ...
1 year ago Bleepingcomputer.com
Google Takes Down Over 50,000 Instances of Malicious Chrome Extensions - Google recently took down over 50,000 Chrome browser extensions after discovering that they were involved in malicious activity. The malicious activity included advertising click fraud, downloading malware, and displaying adware. According to Google, ...
2 years ago Thehackernews.com
Over 6 Million Chrome Extensions Can Execute Remote Commands on Users’ Browsers - A major security incident has come to light involving more than six million installations of Chrome browser extensions that secretly execute remote commands, track user activity, and potentially expose sensitive information. John Tuckner of secure ...
6 months ago Cybersecuritynews.com
Developers Beware of Malicious VS Code Extension Apps With Million of Installations - Cybersecurity researchers have uncovered a disturbing campaign targeting software developers through malicious Visual Studio Code extensions that have collectively amassed millions of installations. These compromised extensions, masquerading as ...
7 months ago Cybersecuritynews.com
Malicious crypto-stealing VSCode extensions resurface on OpenVSX - Malicious Visual Studio Code (VSCode) extensions designed to steal cryptocurrency have reappeared on the OpenVSX marketplace, raising significant security concerns among developers and users. These extensions, disguised as legitimate tools, are ...
4 weeks ago Bleepingcomputer.com
Windows 10 Extended Security Updates Promised for Small Businesses and Home Users - Already common for enterprises, for the first time, individuals will also get the option to pay for extended security updates for a Windows operating system that's out of support. Windows 10 will stop getting free updates, including security fixes, ...
1 year ago Techrepublic.com
Malicious Chrome VPN Extensions Installed 1.5M Times Browsers - In a recent cybersecurity revelation, a highly sophisticated cyber attack campaign has emerged, weaving a web of deceit through malicious web extensions cunningly disguised as VPNs. ReasonLabs, a cybersecurity firm, has discovered online piracy ...
1 year ago Cybersecuritynews.com
12 Malicious Extensions Found in VSCode Marketplace: A Security Alert - The Visual Studio Code (VSCode) marketplace recently faced a significant security threat with the discovery of 12 malicious extensions. These extensions, designed to appear legitimate, were found to contain harmful code capable of compromising user ...
1 week ago Cybersecuritynews.com
Glassworm malware returns on OpenVSX with 3 new VSCode extensions - The Glassworm malware has resurfaced on the OpenVSX marketplace, disguised within three new Visual Studio Code (VSCode) extensions. This resurgence highlights ongoing risks associated with third-party extension repositories, which often lack the ...
4 days ago Bleepingcomputer.com
Malicious Chrome extensions with 1.7M installs found on Web Store - Almost a dozen malicious extensions with 1.7 million downloads in Google's Chrome Web Store could track users, steal browser activity, and redirect to potentially unsafe web addresses. According to the researchers, most of the malicious functionality ...
4 months ago Bleepingcomputer.com
Malicious Chrome extensions with 1.7M installs found on Web Store - Almost a dozen malicious extensions with 1.7 million downloads in Google's Chrome Web Store could track users, steal browser activity, and redirect to potentially unsafe web addresses. According to the researchers, the malicious functionality is ...
4 months ago Bleepingcomputer.com
Threat Actors May Abuse VS Code Extensions to Deliver Malware - Visual Studio Code (VS Code) extensions have become a popular tool for developers to enhance their coding environment. However, recent cybersecurity research highlights a growing threat where malicious actors exploit these extensions to deliver ...
6 days ago Cybersecuritynews.com
Fake Madgicx Plus and SocialMetrics Pro Chrome Extensions Found Stealing Facebook Credentials - Cybersecurity researchers have uncovered a new phishing campaign involving fake Chrome extensions named Madgicx Plus and SocialMetrics Pro. These malicious extensions are designed to steal Facebook credentials from unsuspecting users by mimicking ...
2 months ago Thehackernews.com
CVE-2023-46248 - Cody is an artificial intelligence (AI) coding assistant. The Cody AI VSCode extension versions 0.10.0 through 0.14.0 are vulnerable to Remote Code Execution under certain conditions. An attacker in control of a malicious repository could modify the ...
2 years ago
Majority of Browser Extensions Pose Critical Security Risk, A New Report Reveals - A new 2025 Enterprise Browser Extension Security Report, uniquely combining data from public extension marketplaces and real-world enterprise usage telemetry to spotlight this underestimated threat vector. Extensive Permissions to Sensitive ...
6 months ago Bleepingcomputer.com
Data-theft malware exploits Windows Defender SmartScreen The Register - Criminals are exploiting a Windows Defender SmartScreen bypass vulnerability to infect PCs with Phemedrone Stealer, a malware strain that scans machines for sensitive information - passwords, cookies, authentication tokens, you name it - to grab and ...
1 year ago Go.theregister.com CVE-2023-36025
Chrome extensions with 6 million installs have hidden tracking code - While Tuckner didn't catch any extensions stealing user passwords or cookies, the excessively risky capabilities, heavily obfuscated code, and hidden logic were enough for the researcher to label them as risky and, potentially, spyware. A set of 57 ...
6 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)