Malicious Vscode Extensions On Microsoft's Registry Drop Infostealers

Two malicious extensions on Microsoft's Visual Studio Code Marketplace infect developers' machines with information-stealing malware that can take screenshots, steal credentials, crypto wallets, and hijack browser sessions.

The marketplace hosts extensions for the popular VSCode integrated development environment (IDE) to extend functionality or add customization options.

The two malicious extensions, called Bitcoin Black and Codo AI, masquerade as a color theme and an AI assistant, respectively, and were published under the developer name 'BigBlack.'

At the time of writing, Codo AI was still present in the marketplace, although it counted fewer than 30 downloads. Bitcoin Black's counter showed only one install.

According to Koi Security, the Bitcoin Black malicious extension features a "*" activation event that executes on every VSCode action. It can also run PowerShell code, something that a theme does not need and should be a red flag.

In older versions, Bitcoin Black used a PowerShell script to download a password-protected archived payload, which created a visible PowerShell window and could have warned the user.

In more recent versions, though, the process switched to a batch script (bat.sh) that calls 'curl' to download a DLL file and an executable, and the activity occurs with the window hidden.

Idan Dardikman of Koi Security says that Codo AI has code assistance functionality via ChatGPT or DeepSeek, but also includes a malicious section.

Both extensions deliver a legitimate executable of the Lightshot screenshot tool and a malicious DLL file that is loaded via the DLL hijacking technique to deploy the infostealer under the name runtime.exe.

The malicious DLL is flagged as a threat by 29 out of the 72 antivirus engines on Virus Total, the researcher notes in a report today.

Source: BleepingComputer