Find notable cyber news and cases, enriched with sources, timelines, and signals.

BigBlack VS Code Marketplace stealer extensions

Malware Activity
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

The discovery of malicious VS Code Marketplace extensions matters because they can quietly turn a developer workstation into a stealer platform and exfiltrate sensitive data within seconds. Two packages, BigBlack.bitcoin-black and BigBlack.codo-ai, posed as a premium theme and an AI coding assistant while hiding malicious code. A third package from the same publisher, BigBlack.mrbigblacktheme, was also removed for containing malware.

Related Happenings

Malicious npm packages delivering Windows RAT

Malware Activity
H score3 First: 23.06.2026 11:54 Last: 23.06.2026 11:54 Sources 1

About this happening: A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...

Sapphire Sleet Mastra npm supply-chain campaign

Campaign
H score42 First: 20.06.2026 17:09 Last: 20.06.2026 17:09 Sources 1

About this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...

MuddyWater broad cyber-espionage campaign across sectors and countries

Campaign
H score37 First: 14.05.2026 00:59 Last: 14.05.2026 00:59 Sources 1

About this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...

GlassWorm OpenVSX sleeper extension campaign

Campaign
H score45 First: 28.04.2026 00:41 Last: 28.04.2026 00:41 Sources 1

About this happening: The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
H score30 First: 27.04.2026 14:23 Last: 27.04.2026 14:23 Sources 1

About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...

Timeline

  1. 09.12.2025 10:07 1 articles · 7mo ago

    Microsoft removes BigBlack.bitcoin-black from VS Code Marketplace

    Mitigation Patch Update

    Microsoft removed BigBlack.bitcoin-black from the Microsoft Visual Studio Code (VS Code) Marketplace on December 5, 2025 after the extension was identified as a malicious package that masqueraded as a premium dark theme and activated on every VS Code action to help infect developer machines with stealer malware.

    Show sources
  2. 09.12.2025 10:07 1 articles · 7mo ago

    Microsoft removes BigBlack.codo-ai from VS Code Marketplace

    Mitigation Patch Update

    Microsoft removed BigBlack.codo-ai from the Microsoft Visual Studio Code (VS Code) Marketplace on December 8, 2025 after the extension was identified as a malicious AI coding assistant that hid stealer malware inside a working tool to infect developer machines.

    Show sources
  3. 09.12.2025 10:07 2 articles · 7mo ago

    Researchers disclose malicious VS Code Marketplace extensions and payload chain

    Initial Disclosure

    Cybersecurity researchers disclosed that Microsoft Visual Studio Code (VS Code) Marketplace extensions BigBlack.bitcoin-black and BigBlack.codo-ai were designed to infect developer machines with stealer malware, and Microsoft also removed BigBlack.mrbigblacktheme from the same publisher for containing malware. The malicious extensions used PowerShell to download a password-protected ZIP from syn1112223334445556667778889990[.]org, later shifted to a batch script with curl, and then relied on the legitimate Lightshot binary and Lightshot.dll for DLL hijacking to collect clipboard contents, installed apps, running processes, desktop screenshots, stored Wi-Fi credentials, detailed system information, Google Chrome cookies, and Microsoft Edge sessions.

    Show sources