- 9 malicious extensions discovered in the VSCode Marketplace
- The malware installs an XMRig cryptominer that mines in the background.
- The extensions appeared to be legitimate development tools
- Microsoft has not yet removed all harmful extensions
Visual Studio Code, or simply VSCode, has become one of the favorite tools for programmers around the world. Its versatility and the possibility of adding functionalities through extensions make it especially attractive.But this very opening has become a gateway for cyberthreats that are taking advantage of users' trust.
Over the last few days, some things have come to light: Nine extensions in the official VSCode Marketplace that hide malicious code. While seemingly legitimate utilities aimed at improving the development experience, they are actually They infect systems with cryptomining software designed to stealthily exploit the computer's resources.This discovery has raised concerns among the developer community and highlights the need for stricter oversight of these types of platforms.
Compromised extensions in the VSCode Marketplace
The discovery was made by Yuval Ronen, a researcher at the ExtensionTotal platform, who detected that a series of extensions available on the Microsoft portal for VSCode They activated a hidden code after being installedThis code allowed the execution of a PowerShell script that downloaded and installed in the background the XMRig cryptominer, used in illegal cryptocurrency mining operations such as Monero and Ethereum.
The Affected packages were released on April 4, 2025, and were now available to be installed by any user without any restrictions. The extensions They were presented as useful tools, some related to language compilers and others to artificial intelligence or developer utilities.. Below is the complete list of reported extensions:
- Discord Rich Presence for VSCode – by Mark H
- Red – Roblox Studio Sync – by evaera
- Solidity Compiler – by VSCode Developer
- Claude AI – by Mark H
- Golang Compiler – by Mark H
- ChatGPT Agent for VSCode – by Mark H
- HTML Obfuscator – by Mark H
- Python Obfuscator – by Mark H
- Rust Compiler for VSCode – by Mark H
It should be noted that some of these extensions had surprisingly high discharge rates; for example, “Discord Rich Presence” showed over 189.000 installs, while “Rojo – Roblox Studio Sync” had around 117.000. Many cybersecurity experts have pointed out that These figures may have been artificially inflated to create an appearance of popularity. and attract more unsuspecting users.
As of the time of public reports, The extensions continued to be available in the Marketplace, which drew criticism from Microsoft for its lack of immediate response to security alerts. The fact that these were installations from an official source makes the issue even more delicate.
How the attack works: techniques used by malicious extensions
The infection process begins immediately after the extension is installed. At that point, a PowerShell script is executed that is downloaded from an external address: https://asdfqq(.)xyzThis script is then responsible for performing several covert actions that allow the miner to nest within the affected computer.
One of the first things the script does is install the real extension that the malicious one was trying to impersonateThis is intended to avoid suspicion on the part of the user who might notice any difference in functionality. Meanwhile, the code continues to run in the background to disable protective measures and pave the way for the cryptominer to operate undetected.
Among the most notable actions of the script are:
- Creating scheduled tasks disguised with legitimate names like “OnedriveStartup”.
- Insertion of malicious commands into the operating system registry, ensuring its persistence across reboots.
- Deactivation of basic security services, including Windows Update and Windows Medic.
- Inclusion of the miner's directory in the Windows Defender exclusion list.
Furthermore, if the attack fails to succeed Administrator privileges At runtime, it employs a technique known as "DLL hijacking" via a fake MLANG.dll file. This tactic allows a malicious binary to be executed by mimicking a legitimate system executable such as ComputerDefaults.exe, granting it the necessary permissions to complete the miner installation.
Once the system is compromised, a silent mining operation A cryptocurrency campaign that consumes CPU resources without the user being able to easily detect it. It has been confirmed that the remote server also hosts directories such as "/npm/," raising suspicions that this campaign could be expanding to other portals such as NPM. However, so far, no concrete evidence has been found on that platform.
What to do if you have installed any of these extensions
If you, or someone on your team, have installed any of the suspicious extensions, It is a priority to eliminate them from the work environment. Simply uninstalling them from the editor isn't enough, as many of the actions performed by the script are persistent and remain even after removing the extension.
It is best to follow these steps:
- Manually delete scheduled tasks as “OnedriveStartup”.
- Delete suspicious entries in the Windows' register related to malware.
- Review and clean the affected directories, especially those added to the exclusion list.
- conduct a full scan with updated antivirus tools and consider using advanced solutions that detect anomalous behavior.
And above all, act quickly: although the main damage is the unauthorized use of system resources (high consumption, slowness, overheating, etc.), It is not ruled out that the attackers may have opened other back doors..
This episode has highlighted how easy it is to exploit trust in development environments, even on platforms as established as the official VSCode Marketplace. Therefore, users are advised to Carefully check the source of any extension before installing it, prioritize those with a verified user base and avoid new packages from unknown developers. The proliferation of these types of malicious campaigns demonstrates a worrying reality: development environments, once considered secure by default, They can also become attack vectors if robust validation and monitoring protocols aren't implemented. For now, the responsibility falls on both platform providers and developers themselves, who must remain vigilant.
I am a technology enthusiast who has turned his "geek" interests into a profession. I have spent more than 10 years of my life using cutting-edge technology and tinkering with all kinds of programs out of pure curiosity. Now I have specialized in computer technology and video games. This is because for more than 5 years I have been writing for various websites on technology and video games, creating articles that seek to give you the information you need in a language that is understandable to everyone.
If you have any questions, my knowledge ranges from everything related to the Windows operating system as well as Android for mobile phones. And my commitment is to you, I am always willing to spend a few minutes and help you resolve any questions you may have in this internet world.