Threat analysts at Koi Security have identified a coordinated WhiteCobra campaign abusing the VS Code Marketplace and Open VSX Registry. The actors seeded at least 24 malicious VSIX packages aimed at users of Visual Studio Code, Cursor, and Windsurf. The operation is actively maintained: removed plugins are quickly replaced, indicating a resilient delivery infrastructure and a continuous deployment model for the attack.
Attack chain: “Hello World” decoy and Cloudflare Pages payload delivery
The base extension module (extension.js) masquerades as a standard “Hello World” sample while covertly invoking a second-stage script (prompt.js). That loader retrieves platform-specific payloads from Cloudflare Pages, with variants for Windows, macOS (Intel), and macOS (ARM). Hosting malware on reputable, ephemeral or content-delivery platforms complicates static and signature-based detection and improves attacker survivability.
Windows path: PowerShell → Python → shellcode → Lumma stealer
On Windows, the chain culminates in execution of the Lumma stealer (LummaC2). PowerShell launches a Python script that decodes and runs embedded shellcode, a tactic consistent with “living off the land” to reduce forensic traces. The stealer targets cryptocurrency wallets and browser extensions, saved credentials, cookies, and messenger data, aligning with financially motivated objectives.
macOS path: local Mach-O loader with additional stage
On macOS, a local Mach-O binary executes and then fetches an additional malicious module. The exact malware family in this branch remains unidentified, which hinders signature-based detection and complicates attribution.
Social engineering: polished storefronts and manipulated trust signals
WhiteCobra invests in professional branding, comprehensive descriptions, and inflated downloads and reviews to pass as legitimate. A notable case: Ethereum developer Zak Cole reported a wallet compromise after installing contractshark.solidity-lang for Cursor; the Open VSX listing showed about 54,000 downloads. According to Koi Security, in July 2025 alone, a malicious Cursor AI plugin facilitated theft exceeding $500,000 in crypto assets.
Why IDE extension ecosystems are exposed
The VSIX format is cross-platform and supported by VS Code, Cursor, and Windsurf, enabling broad reach from a single package. Low publication barriers and limited pre-publication moderation create a window for supply chain attacks. Prior research from Checkmarx and Aqua Security has warned that extension marketplaces can be leveraged for malware delivery and that ratings and download counters are susceptible to manipulation.
Operational maturity: re-seeding within hours and revenue targets
Koi Security reports that WhiteCobra’s internal playbooks set financial targets of $10,000–$500,000, include guidance for standing up C2 infrastructure, and codify social engineering and marketing tactics. After takedowns, the group reportedly spins up fresh artifacts in under three hours, suggesting automation and prebuilt pipelines.
Who faces the highest risk and potential impact
The primary risk group includes developers and teams handling cryptowallets, private keys, access tokens, and source repositories. Theft of sessions and secrets can cascade into CI/CD compromise and loss of digital assets. Cross-IDE exposure increases the likelihood of broader, organization-wide impact.
Actionable mitigation for VS Code, Cursor, and Windsurf users
1) Control sources: Install extensions only from verified publishers. Validate linked GitHub repos, commit history, and code-functionality alignment. Be wary of sudden popularity without a reputation trail.
2) Organization policies: Enforce an allowlist of extensions, disable VSIX sideloading where possible, pin versions, and subject all artifacts to review before deployment to developer endpoints.
3) Technical controls: Monitor anomalous PowerShell/Python chains; restrict outbound traffic to unknown or temporary hosting domains (including Cloudflare Pages when unjustified); deploy EDR with behavioral detections for stealers like Lumma; and block known IoCs published by Koi Security.
4) Incident response: On suspicion of compromise, immediately revoke tokens and keys, rotate all secrets, triage developer workstations, and coordinate with VS Code Marketplace and Open VSX to remove malicious packages.
Extension marketplaces have become a critical link in the software supply chain. Strengthening publisher verification, improving moderation, adding privacy-preserving behavioral telemetry for extensions, and ensuring transparent ecosystem response can curb systemic risk. Organizations should reassess extension policies, adopt multi-layered defenses, and continuously monitor for anomalous developer workstation activity to reduce exposure to campaigns like WhiteCobra.
