Nine fake Visual Studio Code extensions were found on Microsoft's VSCode Marketplace, posing as legitimate tools while secretly infecting users with cryptominers for Monero and Ethereum.
Disguised as development utilities with over 300,000 combined installs, these extensions ran a PowerShell script from an external site that disabled system defenses, ensured persistence, and installed the XMRig miner.
The script even replaced the fake tool with a real one to avoid raising suspicion. It tampered with Windows settings, such as disabling updates and excluding its folder from antivirus scans, and used privilege escalation tactics to maintain control.
The infected systems were then connected to a remote server to download and run the miner. Researchers suspect the campaign may also extend to the NPM ecosystem, although no infected packages have been confirmed there.
Microsoft has since removed the malicious extensions and blocked the publisher, stating that no further action is required from users. Anyone who had installed the affected extensions should still manually clean their systems to remove lingering malware.
Read more...
Logging you in...
Loading IntenseDebate Comments...