• Technology

    VSCode market struck by huge influx of malicious WhiteCobra extensions – so be warned

    AnyFans Posted on

    By Sead Fadilpašić

    Copyright techradar

    VSCode market struck by huge influx of malicious WhiteCobra extensions - so be warned

    Skip to main content

    Tech Radar Pro

    Tech Radar Gaming

    Close main menu

    the business technology experts

    België (Nederlands)

    Deutschland

    North America

    US (English)

    Australasia

    New Zealand

    View Profile

    Search TechRadar

    Expert Insights

    Website builders

    Web hosting

    Best web hosting
    Best office chairs
    Best website builder
    Best antivirus
    Expert Insights

    Don’t miss these

    Are they brave or stupid? Malware targeting Russian crypto hackers found

    Criminals are using a dangerous fake free VPN to spread malware via GitHub – here’s how to stay safe

    Firefox fans beware – these malicious add-ons are stealing millions, so be on your guard

    Amazon’s AI coding agent was hacked – update now to avoid possible risks, users warned

    Gamers at risk as scammers are using malware-infected cheats and mods to steal passwords and crypto — here’s how to stay safe

    More popular npm packages hijacked to spread malware

    Malicious Google Chrome and Edge extensions downloaded more than 2 million times – here’s how to stay safe from being tracked online

    Nearly a million browsers affected by more malicious browser extensions – here’s what we know

    Minecraft players watch out – these fake mods are hiding password-stealing malware

    Watch out – those Firefox add-ons could be a real threat to your entire system, Mozilla warns

    GitHub users targeted with dangerous malware attacks – here’s what we know

    Major new malware strain targets crypto users via malicious ads – here’s what we know, and how to stay safe

    Microsoft warns dangerous PipeMagic backdoor is being disguised as ChatGPT desktop app – here’s what we know

    Npm package with millions of downloads is at risk from malware hijacking

    NPM packages from Nx targeted in latest worrying software supply chain attack

    VSCode market struck by huge influx of malicious WhiteCobra extensions – so be warned

    Sead Fadilpašić

    15 September 2025

    Two dozen malicious extensions are making rounds

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

    (Image credit: Shutterstock)

    Researchers found 24 malicious extensions in Visual Studio Marketplace and Open VSX Registry deploying Lumma Stealer and other malware
    The attack targeted cryptocurrency holders and developers, with compromised extensions quickly replaced after removal
    Open-source extension platforms remain attractive targets due to their popularity and ease of malware distribution

    Cybercriminals are once again targeting cryptocurrency holders and developers, by smuggling infostealers into open-source code repositories.

    Last week, BleepingComputer reported that researchers discovered two dozen malicious extensions in the Visual Studio marketplace and the Open VSX registry.
    The Visual Studio Marketplace and the Open VSX Registry are both platforms for distributing extensions, with the former being Microsoft-owned and used in Visual Studio and Visual Studio Code, while the latter is a vendor-neutral, open-source alternative designed for VS Code-compatible editors like Eclipse Theia, Gitpod, SAP Business Application Studio, and others.

    You may like

    Are they brave or stupid? Malware targeting Russian crypto hackers found

    Criminals are using a dangerous fake free VPN to spread malware via GitHub – here’s how to stay safe

    Firefox fans beware – these malicious add-ons are stealing millions, so be on your guard

    WhiteCobra targeting software devs
    The attack was spotted by cybersecurity researchers Koi, as well as one of the victims – a highly skilled, experienced Ethereum editor Zak Cole.

    The researchers determined that there were at least 24 malicious extensions on the platforms, and those that were removed were quickly replaced with new ones. The extensions, when installed on a Windows device, would deploy Lumma Stealer on the compromised computers.
    Lumma is a known infostealer that is capable of grabbing passwords and payment information stored in the browser, exfiltrating sensitive files, session cookies, and cryptocurrency wallet information.
    On Macs, the payload comes in the form of a Mach-O binary that executes locally and loads an unfamiliar piece of malware.

    Are you a pro? Subscribe to our newsletter
    Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
    Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
    The researchers are calling the threat actor WhiteCobra.
    Open-source software repositories are popular targets for cybercriminals, since they enable malware distribution in a myriad of ways, especially on popular platforms such as Visual Studio Marketplace and the Open VSX Registry. The former, for example, is extremely popular among developers using Visual Studio and VS Code, as it hosts more than 48,000 extensions that are tightly integrated with Microsoft products.
    Open VSX Registry, on the other hand, is gaining momentum, especially in open-source and enterprise environments that use VS Code-compatible editors like Eclipse Theia, Gitpod, and SAP Business Application Studio. It hosts nearly 3,000 extensions from more than 1,500 publishers, with more than two million monthly downloads.
    Via BleepingComputer
    You might also like

    Microsoft warns about a new phishing campaign impersonating Booking.com
    Take a look at our guide to the best authenticator app
    We’ve rounded up the best password managers

    Sead Fadilpašić

    Social Links Navigation

    Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

    You must confirm your public display name before commenting

    Please logout and then login again, you will then be prompted to enter your display name.

    Are they brave or stupid? Malware targeting Russian crypto hackers found

    Criminals are using a dangerous fake free VPN to spread malware via GitHub – here’s how to stay safe

    Firefox fans beware – these malicious add-ons are stealing millions, so be on your guard

    Amazon’s AI coding agent was hacked – update now to avoid possible risks, users warned

    Gamers at risk as scammers are using malware-infected cheats and mods to steal passwords and crypto — here’s how to stay safe

    More popular npm packages hijacked to spread malware

    Latest in Security

    Double check your Microsoft 365 and Google accounts – this VoidProxy phishing service is hitting them hard

    US solar highway infrastructure may contain hidden malicious tech, officials warn

    US Senator says Microsoft should be probed for ‘gross cybersecurity negligence’ after hospital ransomware attacks

    Apple issues customer warning after four spyware campaigns discovered targeting devices

    M&S chief digital and technology officer steps down in wake of damaging cyberattack

    Keep an eye on your Meta Business account, these fake extensions could steal your credentials

    Latest in News

    It’s about time – Spotify is finally upgrading its free tier with these Premium-style features

    Forget the iPhone 17 – these are the next 10 Apple products rumored to be coming soon

    Amid a tidal wave of performance complaints on PC, the first Borderlands 4 patch has arrived to address stability – but no one knows what it does

    iOS 26 lands today – here’s exactly when it’s coming to your iPhone, and which models are compatible

    UK and US to sign massive tech trade deals worth billions during Trump and Big Tech tour

    VSCode market struck by huge influx of malicious WhiteCobra extensions – so be warned

    LATEST ARTICLES

    Borderlands 4 maker says your old PC hardware is to blame for the game’s poor performance – even though it struggles to run on an RTX 5090

    8 Cool AI tools you haven’t heard of, but should definitely try

    I murdered my way up a vertical city and snooped through environments in search of shiny quartz crystals in Styx: Blades of Greed, and I can’t wait to get my sneak on again

    Using La Pavoni’s Europiccola lever espresso machine is a labor of love, but the steep learning curve made me a better at-home barista

    Quordle hints and answers for Tuesday, September 16 (game #1331)

    TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

    Contact Future’s experts

    Terms and conditions

    Privacy policy

    Cookies policy

    Advertise with us

    Web notifications

    Accessibility Statement

    Future US, Inc. Full 7th Floor, 130 West 42nd Street,

    Please login or signup to comment

    Please wait…

    You Might Also Like