CyberSecurityBoard
Sponsor Register Login

Malicious VSCode extensions infect Windows with cryptominers

Nine VSCode extensions on Microsoft's Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero. If you have installed any of the nine extensions mentioned in the ExtensionTotal report, you should remove them immediately and then manually locate and delete the coin miner, scheduled tasks, registry key, and malware directory. ExtensionTotal researcher Yuval Ronen has uncovered nine VSCode extensions published on Microsoft's portal on April 4, 2025. Microsoft VSCode is a popular code editor that allows users to install extensions to extend the program's functionality. These extensions can be downloaded from Microsoft's VSCode Marketplace, an online hub for developers to find and install add-ons. When installed and activated, the malicious extensions fetch a PowerShell script from an external source at ' [.]xyz/' and execute it. If the malware wasn't executed with admin rights, it mimics a system binary (ComputerDefaults.exe) and performs DLL hijacking using a malicious MLANG.dll to elevate privileges and execute the Launcher.exe payload. ExtensionTotal says it reported the malicious extensions to Microsoft, but they are still available at the time of writing. First, it creates a scheduled task disguised as "OnedriveStartup" and injects a script in the Windows Registry to ensure the malware (Launcher.exe) runs at system startup. BleepingComputer has contacted Microsoft about the nine extensions, and we will update this post with their response. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. The malicious PowerShell script performs multiple functions, like disabling defenses, establishing persistence, escalating privileges, and eventually loading the cryptominer. The executable, which comes in base64-encoded form, is decoded by the PowerShell script to connect with a secondary server at myaunet[.]su to download and run XMRig, a Monero cryptocurrency miner.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 07 Apr 2025 17:20:11 +0000


Cyber News related to Malicious VSCode extensions infect Windows with cryptominers

VSCode extensions found downloading early-stage ransomware - It is notable that the extensions were uploaded onto the VSCode Marketplace on October 27, 2024 (ahban.cychelloworld) and February 17, 2025 (ahban.shiba), bypassing safety review processes and remaining on Microsoft's store for an extensive ...
2 months ago Bleepingcomputer.com
Malicious VSCode extensions infect Windows with cryptominers - Nine VSCode extensions on Microsoft's Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero. If you have installed any of the nine extensions mentioned in the ...
2 months ago Bleepingcomputer.com
VSCode extensions with 9 million installs pulled over security risks - Microsoft has removed two popular VSCode extensions, 'Material Theme – Free' and  'Material Theme Icons – Free,' from the Visual Studio Marketplace for allegedly containing malicious code. One of the researchers, Amit Assaraf, says ...
3 months ago Bleepingcomputer.com
Cyble Discovers Cyberattack Using VSCode For Remote Access - Cyble Research and Intelligence Lab (CRIL) researchers have uncovered a sophisticated campaign that starts with a suspicious .LNK file and uses Visual Studio Code (VSCode) to establish persistence and remote access – and installs the VSCode command ...
8 months ago Thecyberexpress.com
Microsoft apologizes for removing VSCode extensions used by millions - Microsoft has reinstated the 'Material Theme – Free' and 'Material Theme Icons – Free' extensions on the Visual Studio Marketplace after finding that the obfuscated code they contained wasn't actually malicious. According to Astorino, the ...
3 months ago Bleepingcomputer.com
Fake VPN Chrome extensions force-installed 1.5 million times - Three malicious Chrome extensions posing as VPN infected were downloaded 1.5 million times, acting as browser hijackers, cashback hack tools, and data stealers. According to ReasonLabs, which discovered the malicious extensions, they are spread via ...
1 year ago Bleepingcomputer.com
Google Takes Down Over 50,000 Instances of Malicious Chrome Extensions - Google recently took down over 50,000 Chrome browser extensions after discovering that they were involved in malicious activity. The malicious activity included advertising click fraud, downloading malware, and displaying adware. According to Google, ...
2 years ago Thehackernews.com
Over 6 Million Chrome Extensions Can Execute Remote Commands on Users’ Browsers - A major security incident has come to light involving more than six million installations of Chrome browser extensions that secretly execute remote commands, track user activity, and potentially expose sensitive information. John Tuckner of secure ...
1 month ago Cybersecuritynews.com
Developers Beware of Malicious VS Code Extension Apps With Million of Installations - Cybersecurity researchers have uncovered a disturbing campaign targeting software developers through malicious Visual Studio Code extensions that have collectively amassed millions of installations. These compromised extensions, masquerading as ...
2 months ago Cybersecuritynews.com
Windows 10 Extended Security Updates Promised for Small Businesses and Home Users - Already common for enterprises, for the first time, individuals will also get the option to pay for extended security updates for a Windows operating system that's out of support. Windows 10 will stop getting free updates, including security fixes, ...
1 year ago Techrepublic.com
Malicious Chrome VPN Extensions Installed 1.5M Times Browsers - In a recent cybersecurity revelation, a highly sophisticated cyber attack campaign has emerged, weaving a web of deceit through malicious web extensions cunningly disguised as VPNs. ReasonLabs, a cybersecurity firm, has discovered online piracy ...
1 year ago Cybersecuritynews.com
CVE-2023-46248 - Cody is an artificial intelligence (AI) coding assistant. The Cody AI VSCode extension versions 0.10.0 through 0.14.0 are vulnerable to Remote Code Execution under certain conditions. An attacker in control of a malicious repository could modify the ...
1 year ago
Majority of Browser Extensions Pose Critical Security Risk, A New Report Reveals - A new 2025 Enterprise Browser Extension Security Report, uniquely combining data from public extension marketplaces and real-world enterprise usage telemetry to spotlight this underestimated threat vector. Extensive Permissions to Sensitive ...
1 month ago Bleepingcomputer.com
Data-theft malware exploits Windows Defender SmartScreen The Register - Criminals are exploiting a Windows Defender SmartScreen bypass vulnerability to infect PCs with Phemedrone Stealer, a malware strain that scans machines for sensitive information - passwords, cookies, authentication tokens, you name it - to grab and ...
1 year ago Go.theregister.com CVE-2023-36025
Chrome extensions with 6 million installs have hidden tracking code - While Tuckner didn't catch any extensions stealing user passwords or cookies, the excessively risky capabilities, heavily obfuscated code, and hidden logic were enough for the researcher to label them as risky and, potentially, spyware. A set of 57 ...
1 month ago Bleepingcomputer.com
SquareX Unveils Polymorphic Extensions that Morph Infostealers into Any Browser Extension - Password Managers, Wallets at Risk - In addition to the polymorphic attack, SquareX was also the first to discover and disclose multiple extension-based attacks, including Browser Syncjacking, the Chrome Store consent phishing attack leading to Cyberhaven’s breach and numerous other ...
3 months ago Cybersecuritynews.com
Malicious Chrome extensions can spoof password managers in new attack - In SquareX's demonstration, the attackers impersonate the 1Password password manager extension by first disabling the legitimate one using the 'chrome.management' API, or if the permissions aren't available, user interface manipulation tactics to ...
3 months ago Bleepingcomputer.com
Hackers Deliver Malware via Browser Extensions & Legitimate Tools to Bypass Security Controls - Quick Assist, a preinstalled Windows application designed for remote troubleshooting, requires victims to share a six-digit verification code with attackers posing as IT support personnel. Over the past six months, threat actors have refined ...
2 months ago Cybersecuritynews.com
Google Chrome disables uBlock Origin for some in Manifest v3 rollout - Google continues its rollout of gradually disabling uBlock Origin and other Manifest V2-based extensions in the Chrome web browser as part of its efforts to push users to Manifest V3-based extensions. For those who need more time, Google will let the ...
3 months ago Bleepingcomputer.com
Microsoft No Longer Selling Windows 10 Licenses Redirects to Windows 11 Product Pages - Marking an end to an era, Microsoft is no longer directly selling Windows 10 product keys on their website, instead redirecting users to Windows 11 product pages. This month, Microsoft began displaying an alert on their Windows 10 Home and Pro ...
2 years ago Bleepingcomputer.com
New Polymorphic Attack That Mimic Any Chrome Extension Installed On The Browser - This newly discovered “polymorphic extension attack” creates pixel-perfect replicas of legitimate extensions’ icons, HTML popups, and workflows, making it nearly impossible for users to distinguish them from authentic extensions. ...
3 months ago Cybersecuritynews.com
CVE-2021-21415 - Prisma VS Code a VSCode extension for Prisma schema files. This is a Remote Code Execution Vulnerability that affects all versions of the Prisma VS Code extension older than 2.20.0. If a custom binary path for the Prisma format binary is set in VS ...
2 years ago
CVE-2022-35975 - The GitOps Tools Extension for VSCode can make it easier to manage Flux objects. A specially crafted Flux object may allow for remote code execution in the machine running the extension, in the context of the user that is running VSCode. Users using ...
2 years ago
Microsoft disables MSIX protocol handler abused in malware attacks - Microsoft has again disabled the MSIX ms-appinstaller protocol handler after multiple financially motivated threat groups abused it to infect Windows users with malware. The attackers exploited the CVE-2021-43890 Windows AppX Installer spoofing ...
1 year ago Bleepingcomputer.com CVE-2021-43890 FIN7
Millions of Enterprises at Risk: SquareX Shows How Malicious Extensions Bypass Google’s MV3 Restrictions - Cybersecurity Insiders - This has made browser extensions a very effective and potent technique to silently be installed and monitor enterprise users, and attackers are leveraging them to monitor communication over web calls, act on the victim’s behalf to give permissions ...
8 months ago Cybersecurity-insiders.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)