Article Details

Researchers Find Malicious VS Code, Go, npm, and Rust Packages Stealing Developer Data. Cybersecurity researchers have discovered two new extensions on Microsoft Visual Studio Code (VS Code) Marketplace that are designed to infect developer machines with stealer malware. The VS Code extensions masquerade as a premium dark theme and an artificial intelligence (AI)-powered coding assistant, but, in actuality, harbor covert functionality to download additional payloads, take screenshots, and siphon data. The captured information is then sent to an attacker-controlled server. "Your code. Your emails. Your Slack DMs. Whatever's on your screen, they're seeing it too," Koi Security's Idan Dardikman said. "And that's just the start. It also steals your WiFi passwords, reads your clipboard, and hijacks your browser sessions." The names of the extensions are below - Microsoft's list of removed extensions from the Marketplace shows that the company also removed a third package named "BigBlack.mrbigblacktheme" from the same publisher for containing malware. While "BigBlack.bitcoin-black" activates on every VS Code action, Codo AI embeds its malicious functionality within a working tool, thereby allowing it to bypass detection. Earlier versions of the extensions came with the ability to execute a PowerShell script to download a password-protected ZIP archive from an external server ("syn1112223334445556667778889990[.]org") and extract from it the main payload using four different methods: Windows native Expand-Archive, .NET System.IO.Compression, DotNetZip, and 7-Zip (if installed). That said, the attacker is said to have inadvertently shipped a version that created a visible PowerShell window and could have alerted the user. Subsequent iterations, however, have been found to hide the window and streamline the entire process by switching to a batch script that uses a curl command to download the executable and DLL. The executable is the legitimate Lightshot binary that's used to load the rogue DLL ("Lightshot.dll") via DLL hijacking, which proceeds to gather clipboard contents, a list of installed apps, running processes, desktop screenshots, stored Wi-Fi credentials, and detailed system information. It also launches Google Chrome and Microsoft Edge in headless mode to grab stored cookies and hijack user sessions. "A developer could install what looks like a harmless theme or a useful AI tool, and within seconds their WiFi passwords, clipboard contents, and browser sessions are being exfiltrated to a remote server," Dardikman said. The disclosure comes as Socket said it identified malicious packages across the Go, npm, and Rust ecosystems that are capable of harvesting sensitive data - "Finch-rust acts as a malware loader; it contains mostly legitimate code copied from the legitimate finch package but includes a single malicious line that loads and executes the sha-rust payload," Socket researcher Kush Pandya said. "This separation of concerns makes detection harder: finch-rust looks benign in isolation, while sha-rust contains the actual malware."