Malicious VSCode Extensions Infect Windows with Cryptominers

By /

Listen to this Post

Featured Image
Researchers have discovered malicious Visual Studio Code (VSCode) extensions that secretly install cryptocurrency miners on Windows systems. These extensions, often disguised as useful development tools, exploit the trust of developers to deliver payloads that hijack system resources for mining operations.

You Should Know:

How the Attack Works:

  1. Malicious Extensions: Attackers upload harmful extensions to the VSCode marketplace, often mimicking legitimate tools.
  2. Auto-Execution: Some extensions execute malicious scripts immediately upon installation.
  3. Persistence: The malware establishes persistence via scheduled tasks, registry modifications, or hidden processes.
  4. Cryptomining: The payload deploys a miner (e.g., XMRig) that silently consumes CPU/GPU resources.

Detection & Removal:

  • Check Running Processes: 
    Get-Process | Where-Object { $_.CPU -gt 50 } | Format-Table -AutoSize
  • Inspect Network Connections: 
    netstat -ano | findstr "ESTABLISHED"
  • Scan for Suspicious Extensions: 
    code --list-extensions | grep -i "suspicious-extension"
  • Remove Malicious Extensions: 
    code --uninstall-extension malicious.extension
  • Kill Miner Processes: 
    taskkill /F /PID [bash]

Preventive Measures:

  • Only install extensions with high ratings and verified publishers.
  • Monitor system performance for unusual spikes.
  • Use endpoint protection tools to detect cryptominers.

What Undercode Say:

This attack highlights the risks of third-party extensions in developer tools. Attackers increasingly target software supply chains, making vigilance essential. Developers should:
– Audit installed extensions regularly.
– Use sandboxed environments for testing new tools.
– Employ security tools like Windows Defender or ClamAV for scanning.

Expected Output:

A clean system free of unauthorized miners, improved extension vetting processes, and enhanced monitoring for abnormal resource usage.

Prediction:

As supply chain attacks grow, we’ll see more malicious extensions in other IDEs (e.g., PyCharm, Eclipse). Developers must adopt zero-trust approaches when installing third-party tools.

Reference: BleepingComputer

References:

Reported By: Florian Hansemann – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: