The Visual Studio Code (VSCode) Marketplace has recently become a target for sophisticated cyberattacks, with malicious extensions infiltrating development environments to deploy cryptominers. These attacks highlight vulnerabilities in the extension ecosystem and underscore the need for heightened vigilance among developers.
The campaign: cryptojacking through fake extensions
Security researchers from ExtensionTotal uncovered nine malicious VSCode extensions uploaded to the marketplace on April 4, 2025. These extensions, masquerading as legitimate tools like “Discord Rich Presence” and “Rojo – Roblox Studio Sync,” amassed over 300,000 installations in just three days. The artificially inflated install counts were likely intended to boost credibility and entice unsuspecting users.
Once installed, these extensions executed a multi-stage attack. They downloaded a PowerShell script from external servers, disabled Windows security features, established persistence via scheduled tasks, and ultimately installed XMRig—a popular Monero cryptominer. The attackers even installed legitimate versions of the impersonated extensions to avoid suspicion.
Technical breakdown of the attack
The malicious PowerShell script performed several critical operations:
- Disabling Security Features: It turned off Windows Update and added its directory to Windows Defender’s exclusion list.
- Persistence Mechanisms: It created scheduled tasks disguised as “OnedriveStartup” and injected registry keys for malware execution at startup.
- Privilege Escalation: Through DLL hijacking, it elevated privileges using a fake system binary (ComputerDefaults.exe).
- Cryptominer Deployment: The script connected to a secondary server to download and execute XMRig for cryptocurrency mining.
Broader implications for supply chain security
This campaign is part of a larger trend of supply chain attacks targeting development environments. Similar tactics have been observed with npm packages, where attackers use dependencies within VSCode extensions to compromise systems. The integration between npm and VSCode makes it easier for malicious actors to infiltrate development workflows.
Additionally, these attacks exploit trust metrics like install counts and reviews in marketplaces, revealing systemic vulnerabilities that need addressing. Developers must scrutinize extensions carefully and validate their authenticity before installation.
Mitigation steps for developers
If you suspect malicious extensions in your environment:
- Immediate Removal: Uninstall the extensions flagged by researchers (e.g., those published by “Mark H”).
- Manual Cleanup: Locate and delete associated malware files, registry keys, scheduled tasks, and directories.
- Enhanced Security Practices:
- Regularly monitor system processes for unusual activity.
- Use endpoint protection tools to detect cryptominers.
- Validate the integrity of marketplace extensions before installation.
The discovery of these malicious VSCode extensions serves as a stark reminder of the evolving threats targeting developers. As attackers increasingly exploit trusted platforms like VSCode Marketplace, developers must adopt proactive security measures to safeguard their environments. Collaboration between marketplace operators and cybersecurity experts is essential to prevent future incidents and protect the integrity of development ecosystems.