WhiteCobra targets VSCode users with crypto-stealing extensions
Summary
Hide ▲
Show ▼
A threat actor named WhiteCobra has targeted users of Visual Studio Code (VSCode), Cursor, and Windsurf by uploading 24 malicious extensions to the Visual Studio marketplace and the Open VSX registry. The extensions are designed to steal cryptocurrency. The campaign is ongoing, with the threat actor continuously replacing removed extensions with new malicious ones. Core Ethereum developer Zak Cole reported that his wallet was drained after using a seemingly legitimate extension for the Cursor code editor. The extensions appear legitimate due to professionally designed icons, detailed descriptions, and inflated download counts. WhiteCobra previously conducted a $500,000 crypto-theft campaign in July using a fake extension for the Cursor editor.
Timeline
-
13.09.2025 17:00 1 articles · 16d ago
WhiteCobra uploads 24 malicious extensions to VSCode marketplaces
WhiteCobra has uploaded 24 malicious extensions to the Visual Studio marketplace and the Open VSX registry, targeting users of VSCode, Cursor, and Windsurf. The extensions are designed to steal cryptocurrency and have been continuously replaced to maintain the campaign. The extensions execute a main file that defers to a secondary script, downloading a platform-specific payload from Cloudflare Pages. On Windows, the payload runs LummaStealer malware via a PowerShell script. On macOS, a malicious Mach-O binary executes locally to load an unknown malware family.
Show sources
- 'WhiteCobra' floods VSCode market with crypto-stealing extensions — www.bleepingcomputer.com — 13.09.2025 17:00
Information Snippets
-
WhiteCobra has uploaded 24 malicious extensions to the Visual Studio marketplace and the Open VSX registry.
First reported: 13.09.2025 17:001 source, 1 articleShow sources
- 'WhiteCobra' floods VSCode market with crypto-stealing extensions — www.bleepingcomputer.com — 13.09.2025 17:00
-
The extensions target users of VSCode, Cursor, and Windsurf code editors.
First reported: 13.09.2025 17:001 source, 1 articleShow sources
- 'WhiteCobra' floods VSCode market with crypto-stealing extensions — www.bleepingcomputer.com — 13.09.2025 17:00
-
The extensions are designed to steal cryptocurrency from users' wallets.
First reported: 13.09.2025 17:001 source, 1 articleShow sources
- 'WhiteCobra' floods VSCode market with crypto-stealing extensions — www.bleepingcomputer.com — 13.09.2025 17:00
-
The campaign is ongoing, with the threat actor continuously replacing removed extensions.
First reported: 13.09.2025 17:001 source, 1 articleShow sources
- 'WhiteCobra' floods VSCode market with crypto-stealing extensions — www.bleepingcomputer.com — 13.09.2025 17:00
-
Core Ethereum developer Zak Cole had his wallet drained after using a malicious extension.
First reported: 13.09.2025 17:001 source, 1 articleShow sources
- 'WhiteCobra' floods VSCode market with crypto-stealing extensions — www.bleepingcomputer.com — 13.09.2025 17:00
-
The malicious extensions appear legitimate with professionally designed icons and detailed descriptions.
First reported: 13.09.2025 17:001 source, 1 articleShow sources
- 'WhiteCobra' floods VSCode market with crypto-stealing extensions — www.bleepingcomputer.com — 13.09.2025 17:00
-
WhiteCobra previously conducted a $500,000 crypto-theft campaign in July.
First reported: 13.09.2025 17:001 source, 1 articleShow sources
- 'WhiteCobra' floods VSCode market with crypto-stealing extensions — www.bleepingcomputer.com — 13.09.2025 17:00
-
The extensions execute a main file (extension.js) that defers to a secondary script (prompt.js).
First reported: 13.09.2025 17:001 source, 1 articleShow sources
- 'WhiteCobra' floods VSCode market with crypto-stealing extensions — www.bleepingcomputer.com — 13.09.2025 17:00
-
A next-stage payload is downloaded from Cloudflare Pages, specific to the target platform.
First reported: 13.09.2025 17:001 source, 1 articleShow sources
- 'WhiteCobra' floods VSCode market with crypto-stealing extensions — www.bleepingcomputer.com — 13.09.2025 17:00
-
On Windows, a PowerShell script executes a Python script that runs LummaStealer malware.
First reported: 13.09.2025 17:001 source, 1 articleShow sources
- 'WhiteCobra' floods VSCode market with crypto-stealing extensions — www.bleepingcomputer.com — 13.09.2025 17:00
-
On macOS, a malicious Mach-O binary executes locally to load an unknown malware family.
First reported: 13.09.2025 17:001 source, 1 articleShow sources
- 'WhiteCobra' floods VSCode market with crypto-stealing extensions — www.bleepingcomputer.com — 13.09.2025 17:00
-
WhiteCobra operates in an organized fashion with defined revenue targets and C2 infrastructure setup guides.
First reported: 13.09.2025 17:001 source, 1 articleShow sources
- 'WhiteCobra' floods VSCode market with crypto-stealing extensions — www.bleepingcomputer.com — 13.09.2025 17:00
-
WhiteCobra can deploy a new campaign in less than three hours.
First reported: 13.09.2025 17:001 source, 1 articleShow sources
- 'WhiteCobra' floods VSCode market with crypto-stealing extensions — www.bleepingcomputer.com — 13.09.2025 17:00
-
Recommendations include verifying extension legitimacy, avoiding new projects with rapid download growth, and being cautious of impersonation attempts.
First reported: 13.09.2025 17:001 source, 1 articleShow sources
- 'WhiteCobra' floods VSCode market with crypto-stealing extensions — www.bleepingcomputer.com — 13.09.2025 17:00
Similar Happenings
XCSSET macOS Malware Targets Xcode Developers with Enhanced Features
A new variant of the XCSSET macOS malware has been detected, targeting Xcode developers with enhanced features. This variant includes improved browser targeting, clipboard hijacking, and persistence mechanisms. The malware spreads by infecting Xcode projects, stealing cryptocurrency, and browser data from infected devices. The malware uses run-only compiled AppleScripts for stealthy execution and employs sophisticated encryption and obfuscation techniques. It incorporates new modules for data exfiltration, persistence, and clipboard monitoring. The malware has been observed in limited attacks, with Microsoft sharing findings with Apple and GitHub to mitigate the threat. Developers are advised to keep macOS and apps up to date and inspect Xcode projects before building them.