Two malicious extensions on Microsoft's Visual Studio Code Marketplace infect developers' machines with information-stealing malware that can take screenshots, steal credentials, crypto wallets, and hijack browser sessions.
The marketplace hosts extensions for the popular VSCode integrated development environment (IDE) to extend functionality or add customization options.
The two malicious extensions, called Bitcoin Black and Codo AI, masquerade as a color theme and an AI assistant, respectively, and were published under the developer name 'BigBlack.'
At the time of writing, Codo AI was still present in the marketplace, although it counted fewer than 30 downloads. Bitcoin Black's counter showed only one install.
Codo AI on VSCode Market
Source: BleepingComputer.com
According to Koi Security, the Bitcoin Black malicious extension features a "*" activation event that executes on every VSCode action. It can also run PowerShell code, something that a theme does not need and should be a red flag.
In older versions, Bitcoin Black used a PowerShell script to download a password-protected archived payload, which created a visible PowerShell window and could have warned the user.
In more recent versions, though, the process switched to a batch script (bat.sh) that calls 'curl' to download a DLL file and an executable, and the activity occurs with the window hidden.
Malicious payload from bat.sh
... continue reading