Microsoft VSCode Marketplace Infiltrated by Stealthy Malware Targeting Crypto Developers

Microsoft VSCode Marketplace Infiltrated by Stealthy Malware Targeting Crypto Developers

Malicious VSCode Extensions Target Developers and Crypto Projects

Security researchers have uncovered a sophisticated supply chain attack involving malicious Visual Studio Code extensions targeting developers and cryptocurrency projects. The campaign, first detected in October 2024, includes 18 malicious extensions and several npm packages designed to compromise development environments.

Key Findings:

– 18 malicious VSCode extensions discovered, primarily targeting cryptocurrency investors and productivity tool users
– Extensions masqueraded as legitimate tools, including Ethereum development packages and Zoom integrations
– Five versions of a suspicious npm package ‘etherscancontacthandler’ were identified with 350 total downloads
– Attackers employed fake reviews and inflated installation numbers to appear legitimate

Technical Details:

The malicious extensions download obfuscated second-stage payloads from suspicious domains, including:
– microsoft-visualstudiocode[.]com
– captchacdn[.]com
– Various .lat and .ru domains

The payload analysis revealed:
– Heavily obfuscated Windows CMD files
– Hidden PowerShell commands
– AES-encrypted strings
– Malicious MLANG.DLL file (detected by 27/71 antivirus engines)

Security Recommendations:

Developers should:
– Validate code safety before installation
– Verify extension authenticity
– Avoid cloned plugins and dependencies
– Check extension reviews and download counts carefully

The campaign represents a significant threat to the development community, particularly those working with cryptocurrency projects. All affected extensions have been documented with SHA1 hashes to help identify and prevent potential compromises.

Share This Article