Full Report
A threat actor named WhiteCobra has targeting VSCode, Cursor, and Windsurf users by planting 24 malicious extensions in the Visual Studio marketplace and the Open VSX registry. [...]
Analysis Summary
# Threat Actor: WhiteCobra
## Attribution & Identity
The threat actor is identified as **WhiteCobra**. They are described as an organized group capable of rapid campaign deployment (less than three hours). They operate with a documented playbook detailing revenue targets, C2 setup guides, and social engineering strategies.
## Activity Summary
WhiteCobra has been actively flooding the **Visual Studio Marketplace** and the **Open VSX registry** (used by VSCode, Cursor, and Windsurf) with malicious VSIX extensions. This is an ongoing campaign where the actor continuously uploads new malicious code to replace removed extensions. A publicly known incident involved the draining of a core Ethereum developer's wallet via a seemingly legitimate extension. WhiteCobra is also associated with a prior **$500,000 crypto-theft** in July stemming from a fake extension for the Cursor editor.
## Tactics, Techniques & Procedures
- **Initial Access/Execution:** Creating seemingly legitimate malicious VSIX extensions, often impersonating established projects (typosquatting/impersonation), leveraging cross-compatibility between VS Code, Cursor, and Windsurf.
- **Deception:** Using professionally designed icons, detailed descriptions, and rapidly inflated download counts to instill trust.
- **Execution Flow:** The wallet draining begins by executing the primary extension file (`extension.js`), which contains a call deferring execution to a secondary script (`prompt.js`).
- **Payload Delivery:** A platform-specific, next-stage payload is downloaded from Cloudflare Pages.
- **Malware Deployment (Windows):** A PowerShell script executes a Python script, which runs shellcode to deploy the **LummaStealer** malware.
- **Malware Deployment (macOS):** A malicious Mach-O binary is executed locally to load an unknown malware family.
- **Exfiltration:** LummaStealer targets cryptocurrency wallet applications, web extensions, stored browser credentials, and messaging app data.
## Targeting
- **Sectors:** Software Development / Coding (targeting users of code editors and developers).
- **Geography:** Not explicitly detailed, but the impact is global due to the nature of the repositories.
- **Victims:** Users of VS Code, Cursor, and Windsurf; specifically mentioned is a core Ethereum developer.
## Tools & Infrastructure
- **Malware Families Used:**
- **LummaStealer** (Info-stealing malware targeting crypto wallets and credentials).
- An unknown malware family deployed on macOS.
- **Infrastructure:**
- **Payload Hosting:** Cloudflare Pages (used to host platform-specific second-stage payloads).
- **C2:** The actor's internal playbook includes guides for setting up Command-and-Control infrastructure.
## Implications
WhiteCobra poses a significant, organized threat due to their rapid operational tempo (redeploying campaigns in under three hours) and their focus on high-value targets within the developer community (crypto theft). Their ability to successfully mimic legitimate projects and manipulate download metrics makes detection difficult based on surface-level repository cues. Their documented playbook confirms a methodical approach to achieving specific revenue goals ($10,000 to $500,000).
## Mitigations
- Exercise extreme suspicion regarding newly released coding extensions, especially those that rapidly accumulate high download counts and positive reviews shortly after publication.
- Scrutinize extensions for signs of impersonation or typosquatting attempts against legitimate projects.
- Developers should primarily rely on known projects with established trust records.
- Repository maintainers (VS Code Marketplace, Open VSX) must implement stronger verification mechanisms beyond superficial checks to distinguish malicious software.