Find notable cyber news and cases, enriched with sources, timelines, and signals.

Evelyn Stealer abuse of VS Code extensions to steal developer data

Malware Activity
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

A new stealer operation is using malicious VS Code extensions to compromise software developers, creating a high-risk path into developer environments and broader organizational systems. The payload, Evelyn Stealer, is designed to collect credentials, cryptocurrency data, cookies, and screenshots. It also targets production systems and cloud resources, increasing the chance of follow-on compromise beyond the initial workstation. The activity matters because developer tools and extensions are being turned into a delivery channel for data theft.

Related Happenings

Windows cryptocurrency clipper campaign targeting users via USB LNK worms

Campaign
H score32 First: 18.06.2026 17:30 Last: 18.06.2026 17:30 Sources 1

About this happening: A **Windows cryptocurrency clipper campaign** is actively targeting users since **February 2026**, putting clipboard data, wallet addresses, and seed phrases at risk. The operatio...

Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs

Threat Actor Meta
H score26 First: 20.05.2026 00:47 Last: 20.05.2026 00:47 Sources 1

About this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...

Node-ipc malicious versions with stealer/backdoor payload

Malware Activity
H score34 First: 14.05.2026 20:22 Last: 14.05.2026 20:22 Sources 1

About this happening: Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...

ModeloRAT malicious PowerShell and Dropbox delivery activity

Malware Activity
H score16 First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...

Sefirah infostealer delivered through a malicious Hugging Face repository

Malware Activity
H score16 First: 09.05.2026 17:26 Last: 09.05.2026 17:26 Sources 1

About this happening: A malicious **Hugging Face** repository impersonated **OpenAI’s Privacy Filter** and delivered **sefirah**, a **Rust-based infostealer**, to **Windows** users, creating credential...

Timeline

  1. 20.01.2026 13:48 2 articles · 5mo ago

    Evelyn Stealer VS Code extension campaign disclosure

    Initial Disclosure

    Cybersecurity researchers disclosed a malware campaign targeting software developers through the Microsoft Visual Studio Code (VS Code) extension ecosystem, with Evelyn Stealer delivered through malicious extensions such as BigBlack.bitcoin-black, BigBlack.codo-ai, and BigBlack.mrbigblacktheme. The campaign was first documented by Koi Security last month and later analyzed by Trend Micro, which described a chain that drops Lightshot.dll, launches a hidden PowerShell command to fetch runtime.exe, injects the stealer into grpconv.exe, and exfiltrates credentials, cryptocurrency-related data, clipboard contents, installed apps, running processes, desktop screenshots, stored Wi-Fi credentials, system information, and Google Chrome and Microsoft Edge cookies to server09.mentality[.]cloud over FTP in ZIP form. The malware also uses browser flags and a mutex to reduce interference and detection, and compromised developer environments may provide access into broader organizational systems.

    Show sources