BigBlack VS Code Marketplace stealer extensions
Malware Activity
Summary
Hide ▲
Show ▼
The discovery of malicious VS Code Marketplace extensions matters because they can quietly turn a developer workstation into a stealer platform and exfiltrate sensitive data within seconds. Two packages, BigBlack.bitcoin-black and BigBlack.codo-ai, posed as a premium theme and an AI coding assistant while hiding malicious code. A third package from the same publisher, BigBlack.mrbigblacktheme, was also removed for containing malware.
Related Happenings
Malicious npm packages delivering Windows RAT
Malware Activity
H score3
First: 23.06.2026 11:54
Last: 23.06.2026 11:54
Sources 1
About this happening:
A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...
Malicious npm packages delivering Windows RAT
Malware ActivityAbout this happening: A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...
Sapphire Sleet Mastra npm supply-chain campaign
Campaign
H score42
First: 20.06.2026 17:09
Last: 20.06.2026 17:09
Sources 1
About this happening:
The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Sapphire Sleet Mastra npm supply-chain campaign
CampaignAbout this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
MuddyWater broad cyber-espionage campaign across sectors and countries
Campaign
H score37
First: 14.05.2026 00:59
Last: 14.05.2026 00:59
Sources 1
About this happening:
**MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
MuddyWater broad cyber-espionage campaign across sectors and countries
CampaignAbout this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
GlassWorm OpenVSX sleeper extension campaign
Campaign
H score45
First: 28.04.2026 00:41
Last: 28.04.2026 00:41
Sources 1
About this happening:
The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...
GlassWorm OpenVSX sleeper extension campaign
CampaignAbout this happening: The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...
GlassWorm v2 cloned VS Code extension loaders
Malware Activity
H score30
First: 27.04.2026 14:23
Last: 27.04.2026 14:23
Sources 1
About this happening:
The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...
GlassWorm v2 cloned VS Code extension loaders
Malware ActivityAbout this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...
Timeline
-
09.12.2025 10:07 1 articles · 7mo ago
Microsoft removes BigBlack.bitcoin-black from VS Code Marketplace
Mitigation Patch UpdateMicrosoft removed BigBlack.bitcoin-black from the Microsoft Visual Studio Code (VS Code) Marketplace on December 5, 2025 after the extension was identified as a malicious package that masqueraded as a premium dark theme and activated on every VS Code action to help infect developer machines with stealer malware.
Show sources
- Researchers Find Malicious VS Code, Go, npm, and Rust Packages Stealing Developer Data — thehackernews.com — 09.12.2025 10:07
-
09.12.2025 10:07 1 articles · 7mo ago
Microsoft removes BigBlack.codo-ai from VS Code Marketplace
Mitigation Patch UpdateMicrosoft removed BigBlack.codo-ai from the Microsoft Visual Studio Code (VS Code) Marketplace on December 8, 2025 after the extension was identified as a malicious AI coding assistant that hid stealer malware inside a working tool to infect developer machines.
Show sources
- Researchers Find Malicious VS Code, Go, npm, and Rust Packages Stealing Developer Data — thehackernews.com — 09.12.2025 10:07
-
09.12.2025 10:07 2 articles · 7mo ago
Researchers disclose malicious VS Code Marketplace extensions and payload chain
Initial DisclosureCybersecurity researchers disclosed that Microsoft Visual Studio Code (VS Code) Marketplace extensions BigBlack.bitcoin-black and BigBlack.codo-ai were designed to infect developer machines with stealer malware, and Microsoft also removed BigBlack.mrbigblacktheme from the same publisher for containing malware. The malicious extensions used PowerShell to download a password-protected ZIP from syn1112223334445556667778889990[.]org, later shifted to a batch script with curl, and then relied on the legitimate Lightshot binary and Lightshot.dll for DLL hijacking to collect clipboard contents, installed apps, running processes, desktop screenshots, stored Wi-Fi credentials, detailed system information, Google Chrome cookies, and Microsoft Edge sessions.
Show sources
- Researchers Find Malicious VS Code, Go, npm, and Rust Packages Stealing Developer Data — thehackernews.com — 09.12.2025 10:07
- Researchers Find Malicious VS Code, Go, npm, and Rust Packages Stealing Developer Data — thehackernews.com — 09.12.2025 10:07