A recent warning to developers using Microsoft’s Visual Studio Code (VSCode) editor has highlighted the discovery of 10 malicious extensions that could potentially infect systems with cryptomining software. According to researchers at ExtensionTotal, these deceptive extensions, which disguise themselves as popular development tools, have been available on the VSCode Marketplace since April 4. While the exact number of installations is uncertain, researchers believe that up to 1 million downloads could have occurred. However, there are suspicions that threat actors may have artificially inflated the download figures to appear more widespread than they actually are.
Once installed, the malicious extensions download a PowerShell loader that ensures persistence on the system, disables security services, and triggers the deployment of the XMRig cryptominer from a remote command-and-control (C2) server. The cryptominer silently runs in the background, consuming system resources and potentially slowing down the affected machine. This latest attack is part of an ongoing trend where attackers target developers by planting harmful tools on trusted sites like GitHub, npm, and others, hoping to trick users into downloading them.
Robert Beggs, CEO of the Canadian incident response firm DigitalDefence, referred to this attack as a “classic” third-party supply chain attack. He noted that while the techniques used are not particularly advanced, the real concern lies in the lack of proper defenses on developers’ machines. Beggs emphasized that there should be multiple layers of protection in place, such as Microsoft Defender, which should warn users when a security feature is being disabled or when a critical system change, like a Windows Registry modification, is attempted.
The real issue, Beggs argues, is that developers often disable these security alerts while focusing on their coding tasks. This tendency to overlook security warnings makes them particularly vulnerable to attacks like the one described. To mitigate such risks, Beggs advises that organizations should ensure their developers work in isolated environments, separate from the production network. This layered security approach would help prevent malicious extensions from compromising critical systems and applications.