Imagine a world where the very tools you trust to enhance your productivity are secretly working against you. This is the chilling reality that cybersecurity researchers have uncovered, revealing a sinister plot to steal developer data through seemingly innocent extensions and packages.
Two malicious extensions on the Microsoft Visual Studio Code (VS Code) Marketplace were designed to infect developer machines with stealthy malware. Disguised as a premium dark theme and an AI coding assistant, these extensions were actually Trojan horses, harboring hidden functionalities to download additional malicious payloads, take screenshots, and siphon sensitive data. The captured information, including code, emails, Slack messages, and even what's on your screen, was then surreptitiously sent to an attacker-controlled server.
The names of these treacherous extensions are BigBlack.bitcoin-black and BigBlack.codo-ai. Microsoft removed them from the Marketplace on December 5th and 8th, 2025, respectively, but not before they had infected an unknown number of developer machines. A third package, BigBlack.mrbigblacktheme, was also removed for containing malware.
What's even more concerning is the sophistication of these attacks. The BigBlack.codo-ai extension embedded its malicious functionality within a working tool, allowing it to bypass detection. Earlier versions of these extensions could execute a PowerShell script to download a password-protected ZIP archive from an external server and extract the main payload using various methods, including Windows native Expand-Archive and .NET System.IO.Compression. However, an attacker's mistake of inadvertently creating a visible PowerShell window led to the development of more stealthy versions.
The executable, a legitimate Lightshot binary, was used to load a rogue DLL (Lightshot.dll) through DLL hijacking. This DLL then proceeded to gather sensitive information, including clipboard contents, a list of installed apps, running processes, desktop screenshots, stored Wi-Fi credentials, and detailed system information. It even launched Google Chrome and Microsoft Edge in headless mode to grab stored cookies and hijack user sessions.
"A developer could install what appears to be a harmless theme or a useful AI tool, and within seconds, their personal and professional data is being exfiltrated to a remote server," warned Idan Dardikman from Koi Security.
But here's where it gets controversial: these malicious extensions are not isolated incidents. Socket, a cybersecurity firm, has identified malicious packages across multiple ecosystems, including Go, npm, and Rust, that are capable of harvesting sensitive data. These packages include:
- Go packages "github[.]com/bpoorman/uuid" and "github[.]com/bpoorman/uid" that have been available since 2021 and typosquat trusted UUID libraries to exfiltrate data to a paste site called dpaste.
- A set of 420 unique npm packages published by a likely French-speaking threat actor, some of which contain code to execute a reverse shell and exfiltrate files to a Pipedream endpoint.
- A Rust crate named finch-rust published by faceless, which impersonates the legitimate bioinformatics tool "finch" and serves as a loader for a malicious payload through a credential-stealing package known as "sha-rust."
"Finch-rust acts as a malware loader; it contains mostly legitimate code copied from the legitimate finch package but includes a single malicious line that loads and executes the sha-rust payload," explained Socket researcher Kush Pandya. "This clever separation of concerns makes detection harder."
This revelation should serve as a stark reminder of the importance of cybersecurity in the developer community. As developers, we must remain vigilant and cautious, especially when installing third-party extensions and packages. It's crucial to verify the authenticity and security of these tools before incorporating them into our workflows.
And this is the part most people miss: the human factor. While technology can provide layers of protection, it's ultimately up to us to stay informed, educate ourselves about potential threats, and practice safe coding habits.
So, what do you think? Are these findings a wake-up call for the developer community? Should we be more cautious about the tools we use, or is this an inevitable risk in the digital age? Share your thoughts in the comments below!
