Malicious Microsoft VSCode extensions target devs, crypto community

Share:

Malicious Visual Studio Code extensions were discovered on the VSCode marketplace that download heavily obfuscated PowerShell payloads to target developers and cryptocurrency projects in supply chain attacks.

In a report by Reversing Labs, researchers say the malicious extensions first appeared in the VSCode marketplace in October.

“Throughout October 2024, the RL research team saw a new wave of malicious VSCode extensions containing downloader functionality — all part of the same campaign,” reads the Reversing Labs’ report.

“The community was first notified of this campaign taking place in early October, and since then, the team has been steadfast in tracking it.”

An additional package targeting the crypto community and part of this campaign was found on NPM.

Security researcher Amit Assaraf also published today a report with overlapping findings, pointing to the same activity.

Malicious VSCode extensions
The campaign comprises 18 malicious extensions primarily targeting cryptocurrency investors and those looking for productivity tools like Zoom.

On the VSCode Marketplace, the following extensions were submitted:

EVM.Blockchain-Toolkit
VoiceMod.VoiceMod
ZoomVideoCommunications.Zoom
ZoomINC.Zoom-Workplace
Ethereum.SoliditySupport
ZoomWorkspace.Zoom (three versions)
ethereumorg.Solidity-Language-for-Ethereum
VitalikButerin.Solidity-Ethereum (two versions)
SolidityFoundation.Solidity-Ethereum
EthereumFoundation.Solidity-Language-for-Ethereum (two versions)
SOLIDITY.Solidity-Language
GavinWood.SolidityLang (two versions)
EthereumFoundation.Solidity-for-Ethereum-Language
On npm, the threat actors uploaded five versions of the package ‘etherscancontacthandler’ version 1.0.0 through 4.0.0, collectively downloaded 350 times.

To increase the apparent legitimacy of the packages, the threat actors added fake reviews and inflated their installation numbers to make them appear more trustworthy.

Fake reviews and number of installs
Fake reviews and number of installs
Source: ReversingLabs
ReversingLabs says that all the extensions had the same malicious functionality and were designed to download obfuscated second-stage payloads from suspicious domains.

Two of the malicious domains chosen to appear legitimate are ‘microsoft-visualstudiocode[.]com’ and ‘captchacdn[.]com,’ while others used TLDs like ‘.lat’ and ‘.ru.’

Malicious VSCode extension downloading secondary payload
Malicious VSCode extension downloading secondary payload
Source: ReversingLabs
Neither ReversingLabs nor Assaraf analyzed the second-stage payload, so its functions are unknown, but the red flags surrounding it are abundant.

Comparison between the npm package and the VSCode extensions
Comparison between the npm package and the VSCode extensions
Source: ReversingLabs
BleepingComputer found that the secondary payloads downloaded by these VSCode extensions are heavily obfuscated Windows CMD files that launch a hidden PowerShell command.

The hidden PowerShell command will decrypt AES-encrypted strings in additional CMD files to drop further payloads on the compromised system and execute them.

PowerShell command to decrypt malicious payloads
PowerShell command to decrypt malicious payloads
Source: BleepingComputer
One of the payloads dropped in BleepingComputer’s tests was the %temp%\MLANG.DLL file, which is detected as malicious by VirusTotal in 27/71 antivirus engines.

The researchers provided a detailed list of the malicious packages and VSCode extensions with their SHA1 hashes at the bottom of their report, to help identify and mitigate supply chain compromises.

When downloading the building blocks of your software project, make sure to validate the code’s safety and legitimacy and that they’re not clones of popular plugins and dependencies.

Unfortunately, there have been multiple recent examples of malicious npm packages resulting in highly damaging supply chain compromises and VSCode extensions that targeted user passwords and opened remote shells on the host system.

Bill Toulas

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
11:29 am, Jul 11, 2025
weather icon 29°C
L: 28° | H: 30°
few clouds
Humidity: 45 %
Pressure: 1021 mb
Wind: 4 mph ESE
Wind Gust: 10 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 13%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 4:56 am
Sunset: 9:15 pm
DailyHourly
Daily ForecastHourly Forecast
Today 10:00 pm
weather icon
28° | 30°°C 0 mm 0% 8 mph 47 % 1021 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
18° | 30°°C 0 mm 0% 9 mph 65 % 1018 mb 0 mm/h
Sun Jul 13 10:00 pm
weather icon
17° | 27°°C 0 mm 0% 7 mph 73 % 1014 mb 0 mm/h
Mon Jul 14 10:00 pm
weather icon
20° | 29°°C 0 mm 0% 14 mph 71 % 1017 mb 0 mm/h
Tue Jul 15 10:00 pm
weather icon
15° | 27°°C 0 mm 0% 13 mph 71 % 1021 mb 0 mm/h
Today 1:00 pm
weather icon
29° | 29°°C 0 mm 0% 3 mph 42 % 1021 mb 0 mm/h
Today 4:00 pm
weather icon
30° | 31°°C 0 mm 0% 5 mph 34 % 1019 mb 0 mm/h
Today 7:00 pm
weather icon
28° | 28°°C 0 mm 0% 5 mph 28 % 1017 mb 0 mm/h
Today 10:00 pm
weather icon
22° | 22°°C 0 mm 0% 8 mph 47 % 1019 mb 0 mm/h
Tomorrow 1:00 am
weather icon
18° | 18°°C 0 mm 0% 4 mph 55 % 1018 mb 0 mm/h
Tomorrow 4:00 am
weather icon
19° | 19°°C 0 mm 0% 4 mph 65 % 1018 mb 0 mm/h
Tomorrow 7:00 am
weather icon
19° | 19°°C 0 mm 0% 6 mph 64 % 1018 mb 0 mm/h
Tomorrow 10:00 am
weather icon
24° | 24°°C 0 mm 0% 6 mph 45 % 1017 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€100,985.21
6.43%
Ethereum(ETH)
€2,570.28
8.35%
Tether(USDT)
€0.85
0.01%
XRP(XRP)
€2.24
7.83%
Solana(SOL)
€140.56
4.40%
USDC(USDC)
€0.85
0.00%
Dogecoin(DOGE)
€0.170378
10.33%
Shiba Inu(SHIB)
€0.000012
7.86%
Pepe(PEPE)
€0.000011
15.53%
Peanut the Squirrel(PNUT)
€0.246894
20.17%
Scroll to Top