WhiteCobra targets code editors with malicious extensions

First reported

13.09.2025 17:00

Last updated

📰 1 unique sources, 1 articles

Summary

Hide ▲

A threat actor named WhiteCobra is targeting users of VSCode, Cursor, and Windsurf code editors by uploading malicious extensions to the Visual Studio marketplace and the Open VSX registry. The campaign, which is ongoing, has already resulted in significant financial losses, including a $500,000 crypto-theft in July. The extensions, which appear legitimate, are designed to steal cryptocurrency and other sensitive information. The threat actor exploits the cross-compatibility of VSIX extensions and the lack of rigorous submission reviews on these platforms. WhiteCobra continuously uploads new malicious code to replace extensions that are removed, demonstrating a high level of organization and persistence.

Timeline

13.09.2025 17:00 📰 1 articles · ⏱ 1d ago

WhiteCobra targets code editors with malicious extensions
A threat actor named WhiteCobra has uploaded 24 malicious extensions to the Visual Studio marketplace and the Open VSX registry, targeting users of VSCode, Cursor, and Windsurf. The campaign is ongoing, with new malicious code continuously uploaded to replace removed extensions. The extensions appear legitimate and have resulted in significant financial losses, including a $500,000 crypto-theft in July. The payloads are platform-specific and include the LummaStealer malware on Windows and an unknown malware family on macOS.
Show sources

'WhiteCobra' floods VSCode market with crypto-stealing extensions — www.bleepingcomputer.com — 13.09.2025 17:00
Open in new tab

Information Snippets

WhiteCobra has uploaded 24 malicious extensions to the Visual Studio marketplace and the Open VSX registry.
First reported: 13.09.2025 17:00

📰 1 source, 1 article
Show sources
- 'WhiteCobra' floods VSCode market with crypto-stealing extensions — www.bleepingcomputer.com — 13.09.2025 17:00
The extensions target VSCode, Cursor, and Windsurf users.
First reported: 13.09.2025 17:00

📰 1 source, 1 article
Show sources
- 'WhiteCobra' floods VSCode market with crypto-stealing extensions — www.bleepingcomputer.com — 13.09.2025 17:00
The campaign is ongoing, with new malicious code continuously uploaded to replace removed extensions.
First reported: 13.09.2025 17:00

📰 1 source, 1 article
Show sources
- 'WhiteCobra' floods VSCode market with crypto-stealing extensions — www.bleepingcomputer.com — 13.09.2025 17:00
WhiteCobra is responsible for a $500,000 crypto-theft in July through a fake extension for the Cursor editor.
First reported: 13.09.2025 17:00

📰 1 source, 1 article
Show sources
- 'WhiteCobra' floods VSCode market with crypto-stealing extensions — www.bleepingcomputer.com — 13.09.2025 17:00
The malicious extensions appear legitimate with professionally designed icons, detailed descriptions, and inflated download counts.
First reported: 13.09.2025 17:00

📰 1 source, 1 article
Show sources
- 'WhiteCobra' floods VSCode market with crypto-stealing extensions — www.bleepingcomputer.com — 13.09.2025 17:00
The extensions execute a secondary script that downloads a payload from Cloudflare Pages.
First reported: 13.09.2025 17:00

📰 1 source, 1 article
Show sources
- 'WhiteCobra' floods VSCode market with crypto-stealing extensions — www.bleepingcomputer.com — 13.09.2025 17:00
The payload is platform-specific, with versions available for Windows, macOS on ARM, and macOS on Intel.
First reported: 13.09.2025 17:00

📰 1 source, 1 article
Show sources
- 'WhiteCobra' floods VSCode market with crypto-stealing extensions — www.bleepingcomputer.com — 13.09.2025 17:00
On Windows, the payload executes LummaStealer malware, which targets cryptocurrency wallet apps, web extensions, credentials, and messaging app data.
First reported: 13.09.2025 17:00

📰 1 source, 1 article
Show sources
- 'WhiteCobra' floods VSCode market with crypto-stealing extensions — www.bleepingcomputer.com — 13.09.2025 17:00
On macOS, the payload is a malicious Mach-O binary that executes locally to load an unknown malware family.
First reported: 13.09.2025 17:00

📰 1 source, 1 article
Show sources
- 'WhiteCobra' floods VSCode market with crypto-stealing extensions — www.bleepingcomputer.com — 13.09.2025 17:00
WhiteCobra operates in an organized fashion, with defined revenue targets and C2 infrastructure setup guides.
First reported: 13.09.2025 17:00

📰 1 source, 1 article
Show sources
- 'WhiteCobra' floods VSCode market with crypto-stealing extensions — www.bleepingcomputer.com — 13.09.2025 17:00
The threat group can deploy a new campaign in less than three hours.
First reported: 13.09.2025 17:00

📰 1 source, 1 article
Show sources
- 'WhiteCobra' floods VSCode market with crypto-stealing extensions — www.bleepingcomputer.com — 13.09.2025 17:00