A threat actor named WhiteCobra has targeting VSCode, Cursor, and Windsurf users by planting 24 malicious extensions in the Visual Studio marketplace and the Open VSX registry.
The campaign is ongoing as the threat actor continuously uploads new malicious code to replace the extensions that are removed.
In a public post, core Ethereum developer Zak Cole described how his wallet was drained after using a seemingly legitimate extension (contractshark.solidity-lang) for Cursor code editor.
Cole explained that the extension featured all the signs of a benign product with professionally designed icon, a detailed description, and 54,000 downloads on OpenVSX, Cursor's official registry.
WhiteCobra is the same group responsible for the $500,000 crypto-theft in July, through a fake extension for the Cursor editor, according to researchers at endpoint security provider Koi.
WhiteCobra attacks
VS (Visual Studio) Code, Cursor, and Windsurf are code editors supporting the VSIX extension - the default package format for extensions published on the VS Code Marketplace and the OpenVSX platform.
This cross-compatibility and the lack of proper submission review on these platforms make them ideal for attackers looking to run campaigns with a broad reach.
According to Koi Security, WhiteCobra creates malicious VSIX extensions that appear legitimate due to an overall carefully created description and inflated download count.
Koi Security discovered that the following extensions are part of the latest WhiteCobra campaign:
... continue reading