top of page
perceptive_background_267k.jpg

Researchers Find Malicious VS Code, Go, npm, and Rust Packages Stealing Developer Data

Published:

9 december 2025 om 08:07:00

Alert date:

9 december 2025 om 09:00:35

Source:

thehackernews.com

Click to open the original link from this advisory

Cybersecurity researchers discovered two malicious extensions on Microsoft Visual Studio Code Marketplace that infect developer machines with stealer malware. The extensions masquerade as a premium dark theme and an AI-powered coding assistant but contain covert functionality to download additional payloads and steal sensitive data from developer workstations. This represents a supply chain attack targeting the developer community through compromised marketplace extensions.

Technical details

Two malicious VS Code extensions masqueraded as a premium dark theme and AI-powered coding assistant. They execute PowerShell scripts to download password-protected ZIP archives from external servers, extract payloads using multiple methods (Windows Expand-Archive, .NET System.IO.Compression, DotNetZip, 7-Zip). The malware uses DLL hijacking with legitimate Lightshot binary to load rogue DLL, captures screenshots, clipboard contents, WiFi credentials, system info, and hijacks browser sessions by launching Chrome and Edge in headless mode. Additional malicious packages across Go, npm, and Rust ecosystems include typosquatting libraries, reverse shell execution, and credential stealing through modular malware loaders.

Mitigation steps:

Microsoft has already removed the malicious VS Code extensions from the Marketplace. Developers should verify package authenticity before installation, avoid typosquatted libraries, and monitor for suspicious network activity to paste sites and reverse shell connections. Organizations should implement package scanning and validation processes for development environments.

Affected products:

Microsoft Visual Studio Code Marketplace
Go packages: github.com/bpoorman/uuid
github.com/bpoorman/uid
420 unique npm packages with elf-stats-* naming pattern
Rust crate: finch-rust
sha-rust
Google Chrome (session hijacking)
Microsoft Edge (session hijacking)
Lightshot application (legitimate binary used for DLL hijacking)

Related links:

https://www.koi.ai/blog/the-vs-code-malware-that-captures-your-screen
https://github.com/microsoft/vsmarketplace/blob/main/RemovedPackages.md
https://socket.dev/blog/malicious-go-packages-impersonate-googles-uuid-library-and-exfiltrate-data
https://socket.dev/blog/elves-on-npm
https://socket.dev/blog/malicious-crate-mimicking-finch-exfiltrates-credentials

Related CVE's:

Related threat actors:

IOC's:

BigBlack.bitcoin-black (VS Code extension), BigBlack.codo-ai (VS Code extension), BigBlack.mrbigblacktheme (VS Code extension), syn1112223334445556667778889990[.]org (C2 server), Lightshot.dll (malicious DLL), github.com/bpoorman/uuid (malicious Go package), github.com/bpoorman/uid (malicious Go package), finch-rust (malicious Rust crate), sha-rust (credential stealing package), elf-stats-* (npm package naming pattern), Pipedream endpoint (data exfiltration), dpaste (data exfiltration site)

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page