Bitcoin Black and Codo AI VS Code extensions delivering infostealer
Malware Activity
Summary
Hide ▲
Show ▼
The Bitcoin Black and Codo AI extensions on Microsoft's Visual Studio Code Marketplace are delivering an infostealer to developers' machines, creating immediate risk of stolen credentials, crypto wallets, and browser sessions. The malicious code uses DLL hijacking and hidden download steps to avoid obvious user warnings. The activity matters because compromised developer workstations can expose both local secrets and active online sessions.
Related Happenings
Search for perplexity ai malicious Chrome extension
Malware Activity
H score29
First: 29.06.2026 21:40
Last: 29.06.2026 21:40
Sources 1
About this happening:
A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
Search for perplexity ai malicious Chrome extension
Malware ActivityAbout this happening: A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
Mistic backdoor deployment via ClickFix and DLL side-loading
Malware Activity
H score22
First: 25.06.2026 11:54
Last: 25.06.2026 11:54
Sources 1
About this happening:
The **Mistic** backdoor is being used in **financially motivated attacks** against organizations across **insurance, education, IT, and professional services**, raising the risk o...
Mistic backdoor deployment via ClickFix and DLL side-loading
Malware ActivityAbout this happening: The **Mistic** backdoor is being used in **financially motivated attacks** against organizations across **insurance, education, IT, and professional services**, raising the risk o...
Edgecution malicious Microsoft Edge extension backdoor activity
Malware Activity
H score23
First: 24.06.2026 23:58
Last: 24.06.2026 23:58
Sources 1
About this happening:
The **Edgecution** malware is extending a **Microsoft Edge** browser foothold into host-level compromise by abusing **Chrome Native Messaging** and launching a **Python-based back...
Edgecution malicious Microsoft Edge extension backdoor activity
Malware ActivityAbout this happening: The **Edgecution** malware is extending a **Microsoft Edge** browser foothold into host-level compromise by abusing **Chrome Native Messaging** and launching a **Python-based back...
Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw
Vulnerability
H score33
First: 22.06.2026 20:28
Last: 22.06.2026 20:28
Sources 1
About this happening:
Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.
Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw
VulnerabilityAbout this happening: Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.
JetBrains Marketplace malicious plugins exfiltrating AI provider keys
Malware Activity
H score12
First: 17.06.2026 12:38
Last: 17.06.2026 12:38
Sources 1
About this happening:
A **JetBrains Marketplace** malware operation has pushed **15 malicious plugins** that pose as AI coding assistants and steal **AI provider API keys** from developers. The plugins...
JetBrains Marketplace malicious plugins exfiltrating AI provider keys
Malware ActivityAbout this happening: A **JetBrains Marketplace** malware operation has pushed **15 malicious plugins** that pose as AI coding assistants and steal **AI provider API keys** from developers. The plugins...
Timeline
-
09.12.2025 00:30 2 articles · 7mo ago
Koi Security reports malicious VS Code extensions on Microsoft's registry
Initial DisclosureKoi Security identified Bitcoin Black and Codo AI on Microsoft's Visual Studio Code Marketplace as malicious extensions that masquerade as a color theme and an AI assistant while delivering an infostealer to developers' machines, with capabilities to steal screenshots, credentials, browser sessions, and crypto wallets.
Show sources
- Malicious VSCode extensions on Microsoft's registry drop infostealers — www.bleepingcomputer.com — 09.12.2025 00:30
- Malicious VS Code Extensions Deploy Advanced Infostealer — www.infosecurity-magazine.com — 09.12.2025 18:45