VSCode Crypto-Extensions Under Attack by WhiteCobra

VSCode crypto-extensions are facing a major security threat. Cybercriminals linked to a group known as WhiteCobra have flooded Visual Studio Code Marketplace and OpenVSX with malicious extensions designed to steal cryptocurrency wallets, browser data, and login credentials. These rogue extensions imitate legitimate developer tools, tricking users into downloading malware that compromises their systems.

WhiteCobra’s Strategy

WhiteCobra deploys fake extensions with names and branding similar to trusted ones. By copying logos, descriptions, and inflating download counts, the group creates the illusion of legitimacy. Once installed, these extensions download second-stage payloads that vary depending on the operating system.

  • On Windows, the extension launches PowerShell commands, which then execute Python scripts. These load shellcode that deploys LummaStealer, a well-known info-stealing malware.
  • On macOS, malicious Mach-O binaries are delivered to compromise devices.
  • On ARM systems, tailored scripts attempt similar infiltration tactics.

This cross-platform approach ensures that a wide range of developers and crypto users remain vulnerable.

Examples of Malicious Extensions

Investigators identified several extensions uploaded under deceptive names:

  • OpenVSX (Cursor/Windsurf): ChainDevTools.solidity-pro, nomic-fdn.hardhat-solidity, juan-blanco.solidity, Crypto-Extensions.solidity.
  • VSCode Marketplace: JuanFBlanco.awswhh, ETHFoundry.etherfoundrys, MarcusLockwood.wgbk, ShowSnowcrypto.SnowShoNo.

These impersonations target popular blockchain and crypto-related tools, making them especially dangerous for developers working in Web3 projects.

Why It’s Dangerous

VSCode crypto-extensions enjoy widespread trust, but WhiteCobra has exploited this confidence. Many developers rely on download counts, reviews, and familiar names when selecting tools. By manipulating these signals, attackers increase their chances of infection. Once malware is active, it can drain wallets, steal saved browser credentials, and expose sensitive project data.

How Developers Can Stay Safe

To defend against such threats, developers should:

  • Download extensions only from verified publishers with a proven history.
  • Double-check names for typos or small alterations.
  • Be wary of new extensions with sudden spikes in downloads or reviews.
  • Examine extension files when possible to identify suspicious scripts.
  • Use endpoint protection and sandboxing tools for added safety.

Conclusion

The WhiteCobra campaign highlights the growing risks hidden within VSCode crypto-extensions. Trusting familiar names or inflated popularity metrics can lead to devastating breaches. Developers and crypto enthusiasts must remain vigilant, verify extension sources, and adopt strict security practices before installing new tools.

Siyana Georgieva

0 responses to “VSCode Crypto-Extensions Under Attack by WhiteCobra”