Security researchers have once again demonstrated that even official marketplaces cannot be treated as inherently trustworthy. Experts at Koi Security identified two malicious Visual Studio Code extensions — Bitcoin Black and Codo AI — that silently installed a powerful infostealer on developers’ workstations, targeting passwords, cookies, crypto wallets, and detailed system information.
Malicious Visual Studio Code extensions discovered in the official marketplace
Both extensions were published in the Visual Studio Code Marketplace under the publisher name BigBlack. Bitcoin Black posed as a harmless color theme, while Codo AI was advertised as an AI coding assistant integrating models such as ChatGPT and DeepSeek.
According to Koi Security’s report, Codo AI was still available at the time of disclosure with fewer than 30 installs, while Bitcoin Black had only a single recorded installation. Low install counts do not reduce the severity of the incident: compromise of even one developer system can open a path to source code repositories, CI/CD pipelines, and wider corporate infrastructure.
Attack chain: from VS Code activation events to stealthy payload delivery
Abuse of VS Code “*” activation event and PowerShell
The Bitcoin Black extension abused a special VS Code activation trigger, the “*” event, which fires in response to almost any user action in the editor. This allowed the extension to run frequently and with minimal visibility.
Initially, the attackers used embedded PowerShell code to download an encrypted archive containing the malicious payload. This approach, however, caused a PowerShell window to appear, which could alert attentive users or security monitoring tools.
Shift to batch scripts and silent DLL/EXE downloads
In later versions, the authors refactored the loader into a batch script named bat.sh that invoked curl to download a DLL and an accompanying .exe file. The entire sequence executed in the background without opening visible console windows, substantially improving stealth and persistence.
Codo AI: combining legitimate AI features with hidden malware
The Codo AI extension did provide real functionality: it helped generate code by calling popular AI models, making it appear useful and trustworthy. At the same time, it embedded essentially the same malicious loading logic observed in Bitcoin Black.
This combination of genuine capabilities and hidden malware is a common tactic in marketplace-based supply chain attacks. When users see value from an extension, they are less inclined to suspect malicious behavior, allowing background payloads to operate unhindered for long periods.
DLL hijacking with Lightshot and deployment of the infostealer
Both extensions packaged a legitimate executable of the widely used screenshot tool Lightshot alongside a malicious DLL. The attack leveraged DLL hijacking: when Lightshot started, Windows searched for required libraries starting from the application directory, loaded the attacker-controlled DLL instead of the genuine one, and executed its code.
This malicious DLL then installed an infostealer component under the name runtime.exe. According to Koi Security’s analysis, the DLL was detected by only 29 of 72 antivirus engines on VirusTotal, indicating either a relatively new sample or effective obfuscation that allowed it to evade many signature-based products.
Capabilities of the VS Code infostealer
Once active, the malware created the directory %APPDATA%\Local\Evelyn to store exfiltrated data. The infostealer collected:
— information about running processes;
— clipboard contents;
— stored Wi‑Fi credentials;
— detailed system information;
— desktop screenshots;
— lists of installed applications and active processes.
For browser account takeover, the malware launched Google Chrome and Microsoft Edge in headless mode (without a visible window) and extracted saved cookies from browser profiles. With session cookies in hand, attackers can often bypass passwords and even 2FA if a valid session is already active, enabling direct access to webmail, cloud services, and development platforms.
The infostealer also focused on cryptocurrency theft. It scanned for popular wallets such as Phantom, MetaMask, Exodus and others, attempting to extract secrets, passwords, and seed phrases found in wallet files, browser storage, or auto-saved data. Such theft can lead to immediate and irreversible financial loss.
Microsoft’s response and key lessons for secure development environments
Microsoft has removed both malicious extensions from the Visual Studio Code Marketplace. However, their presence in the official store highlights the growing risk of developer-focused supply chain attacks and the limitations of static pre-publication checks.
To reduce exposure when using marketplace extensions, organizations and individual developers should:
— prefer VS Code extensions from well-known, vetted publishers with a track record and high install counts;
— perform regular audits of installed extensions and remove those that are unused or unmaintained;
— monitor for unexpected invocation of PowerShell, cmd.exe, curl, and unknown .exe files from developer profiles;
— deploy modern EDR/XDR platforms with behavioral detection rather than relying solely on traditional antivirus signatures;
— keep seed phrases and private keys off developer workstations wherever possible, using hardware wallets or dedicated secure devices.
The Bitcoin Black and Codo AI case underscores that developer machines are high-value targets for threat actors. As development workflows increasingly depend on rich ecosystems of plugins and AI assistants, organizations must treat integrated development environments as critical assets, enforce strict extension governance, and continuously educate teams about marketplace risks and secure tool selection.
