A threat actor known as WhiteCobra is distributing fraudulent extensions across the Visual Studio Marketplace and OpenVSX registry, targeting developers who use VSCode, Cursor, and Windsurf. These malicious extensions, which mimic legitimate tools, are designed to steal cryptocurrency by executing wallet-draining malware. One victim, a core Ethereum developer, lost funds after installing a counterfeit Solidity extension that appeared credible due to its professional presentation and inflated download count.
The malicious extensions initiate an attack by running a script that downloads platform-specific payloads from external sources. On Windows systems, this leads to the execution of LummaStealer, a known information-stealer that targets crypto wallets and browser credentials. On macOS, a malicious binary is executed, though the specific malware family remains unidentified.
WhiteCobra operates in an organized manner, with defined revenue targets and rapid redeployment capabilities—often replacing removed extensions within hours. Security researchers emphasize the need for improved verification on extension marketplaces, as download counts and reviews can be easily manipulated. Developers are advised to use only trusted, well-established extensions and remain cautious of typosquatting and impersonation attempts.
