Malicious VS Code Extensions with Millions of Installs Put Developers at Risk

A sophisticated cryptomining campaign has been uncovered, targeting developers through malicious Visual Studio Code (VS Code) extensions.

These extensions, masquerading as legitimate tools, have collectively accumulated over one million installations, exposing the scale of the attack.

Researchers at ExtensionTotal detected the operation, which deploys a multi-stage payload to mine cryptocurrency in the background while delivering the expected functionality to avoid suspicion.

Attack Overview

The malicious campaign involved ten VS Code extensions published by three different authors, primarily “Mark H,” starting April 4, 2025.

Among them, the most popular fake extension, “Discord Rich Presence,” reached 189,000 installs, while “Prettier Code for VSCode” accumulated an inflated count of 955,000 installs.

These extensions were uploaded to impersonate widely trusted development tools, and attackers even installed the legitimate versions of these extensions after deploying their malware to maintain credibility.

Once installed, the extensions secretly downloaded and executed a PowerShell loader from a recently created Command-and-Control (C2) domain, asdf11[.]xyz.

This script performed multiple malicious actions, including disabling Windows security measures, establishing persistence through scheduled tasks and registry modifications, and installing the XMRig cryptominer, which mines Monero cryptocurrency.

Payload Details

The campaign exhibited an advanced multi-stage process. The initial PowerShell script executed upon extension installation was responsible for persistence, defense evasion, privilege escalation, and payload execution.

The script set up a scheduled task disguised as “OneDriveStartup” and created registry entries to ensure persistence.

It disabled security services such as Windows Update and Update Medic Service, thereby preventing system protections from interfering with the malware.

To evade detection, the script excluded its installation directory from Windows Defender scans.

It also escalated privileges by attempting to run the payload as an administrator.

In cases where sufficient privileges were not available, it exploited the legitimate “ComputerDefaults.exe” in the System32 directory to execute a malicious DLL named “MLANG.dll.”

Finally, the script downloaded and executed “Launcher.exe”a Trojan that communicated with another C2 domain, myaunet[.]su, to install the XMRig cryptomining software.

According to the Report, This campaign highlights the growing threat of supply chain attacks on developer ecosystems.

Developers installing malicious extensions unknowingly expose their systems and potentially their organizations to cryptomining and other cyber risks.

By disguising these extensions as legitimate tools and delivering expected functionality, attackers leveraged the trust within the VS Code extension marketplace to infiltrate systems unnoticed.

Indicator of Compromise (IoCs)

Several Indicators of Compromise (IoCs) have been identified in this operation:

1.C2 Domains: The extensions communicated with asdf11[.]xyz and myaunet[.]su for payload downloads and cryptominer deployment.
2.Malicious File Hashes: Key files deployed during the campaign include:

• Launcher.exe (SHA-256: 2d17f0cb6c8d9488f2d101b90052692049b0c4bd9bf4949758aae7b1fd936191)
• XMRig.exe (SHA-256: d2fcf28897ddc2137141d838b734664ff7592e03fcd467a433a51cb4976b4fb1)
• PowerShell scripts (Multiple hashes shared across the campaign)
• Malicious DLLs (SHA-256: 13db408a3232ea31aab8edc648b6c315782db9516e1c08c6bd667e17f5dd147c)

3.Affected Extensions: Notable malicious VS Code packages include:

• Prettier — Code for VSCode (prettierteam.prettier)
• Discord Rich Presence (markh.discord-rich-presence-vs)
• Rojo — Roblox Studio Sync (evaera-rbx.vscode-rojo-rbx)
• Solidity Compiler (vscodedeveloper.sobidity-compiler)

These IoCs serve as critical markers for organizations to detect and mitigate the impact of the campaign.

This cryptomining scheme underscores the urgent need for vigilance in the software supply chain.

With developers increasingly reliant on third-party extensions, malicious campaigns like these exploit the trust and convenience of extension marketplaces to infiltrate systems.

Organizations must prioritize extension vetting, employ advanced detection tools, and scrutinize open-source contributions to safeguard their ecosystems.

ExtensionTotal remains committed to helping development teams identify and address such threats, ensuring uninterrupted productivity without compromising security.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!