Malicious VSCode extensions infect Windows with cryptominers
-
Nine VSCode extensions on Microsoft's Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero.
ExtensionTotal researcher Yuval Ronen has uncovered nine VSCode extensions published on Microsoft's portal on April 4, 2025.
The package names are:
- Discord Rich Presence for VS Code (by
Mark H) - 189K Installs - Rojo – Roblox Studio Sync (by
evaera) - 117K Installs - Solidity Compiler (by
VSCode Developer) - 1.3K Installs - Claude AI (by
Mark H) - Golang Compiler (by
Mark H) - ChatGPT Agent for VSCode (by
Mark H) - HTML Obfuscator (by
Mark H) - Python Obfuscator for VSCode (by
Mark H) - Rust Compiler for VSCode (by
Mark H)
Such tricks were was predictable, as VSCode extensions, letting arbitrary JS run on your system, are an obvious security risk.
Recently I used Zed editor instead, it's smooth, but this also has extensions, only these are fewer and in rust ( maybe a higher barrier, targeting less users, so far... ). What's the solution here - is there some intrinsically safer sandboxed system ? - Discord Rich Presence for VS Code (by
-
Such tricks were was predictable, as VSCode extensions, letting arbitrary JS run on your system, are an obvious security risk.
Recently I used Zed editor instead, it's smooth, but this also has extensions, only these are fewer and in rust ( maybe a higher barrier, targeting less users, so far... ). What's the solution here - is there some intrinsically safer sandboxed system ?The more sandboxed the extension system, the less powerful it is.
You either have an entity that approves of extensions. Or your users have to be very careful and trusting of other people. There's no other way.
-
Nine VSCode extensions on Microsoft's Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero.
ExtensionTotal researcher Yuval Ronen has uncovered nine VSCode extensions published on Microsoft's portal on April 4, 2025.
The package names are:
- Discord Rich Presence for VS Code (by
Mark H) - 189K Installs - Rojo – Roblox Studio Sync (by
evaera) - 117K Installs - Solidity Compiler (by
VSCode Developer) - 1.3K Installs - Claude AI (by
Mark H) - Golang Compiler (by
Mark H) - ChatGPT Agent for VSCode (by
Mark H) - HTML Obfuscator (by
Mark H) - Python Obfuscator for VSCode (by
Mark H) - Rust Compiler for VSCode (by
Mark H)
Such a sack of shit that Mark H.
- Discord Rich Presence for VS Code (by
-
Nine VSCode extensions on Microsoft's Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero.
ExtensionTotal researcher Yuval Ronen has uncovered nine VSCode extensions published on Microsoft's portal on April 4, 2025.
The package names are:
- Discord Rich Presence for VS Code (by
Mark H) - 189K Installs - Rojo – Roblox Studio Sync (by
evaera) - 117K Installs - Solidity Compiler (by
VSCode Developer) - 1.3K Installs - Claude AI (by
Mark H) - Golang Compiler (by
Mark H) - ChatGPT Agent for VSCode (by
Mark H) - HTML Obfuscator (by
Mark H) - Python Obfuscator for VSCode (by
Mark H) - Rust Compiler for VSCode (by
Mark H)
HTML Obfuscator
Fucking what
- Discord Rich Presence for VS Code (by
-
Nine VSCode extensions on Microsoft's Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero.
ExtensionTotal researcher Yuval Ronen has uncovered nine VSCode extensions published on Microsoft's portal on April 4, 2025.
The package names are:
- Discord Rich Presence for VS Code (by
Mark H) - 189K Installs - Rojo – Roblox Studio Sync (by
evaera) - 117K Installs - Solidity Compiler (by
VSCode Developer) - 1.3K Installs - Claude AI (by
Mark H) - Golang Compiler (by
Mark H) - ChatGPT Agent for VSCode (by
Mark H) - HTML Obfuscator (by
Mark H) - Python Obfuscator for VSCode (by
Mark H) - Rust Compiler for VSCode (by
Mark H)
Microsoft and macro viruses, name a more iconic duo.
- Discord Rich Presence for VS Code (by
-
Such tricks were was predictable, as VSCode extensions, letting arbitrary JS run on your system, are an obvious security risk.
Recently I used Zed editor instead, it's smooth, but this also has extensions, only these are fewer and in rust ( maybe a higher barrier, targeting less users, so far... ). What's the solution here - is there some intrinsically safer sandboxed system ?I can't imagine a sandbox would help. what can an an extension do that doesn't touch some arbitrary code that gets run? it could add a line to the middle of a giant file right before you run and remove it immediately after. even if you run the whole editor in a sandbox you do eventually deploy that code somewhere, it can change something inconspicuous like a url in a dependency file that might not get caught in a pr
the only solution is to audit everything you install, know all the code you run, etc. ofc that's not reasonable, but idk what else there is. better automated virus check things maybe? identity verification for extension publishers? idk if there's an actual solution
-
I can't imagine a sandbox would help. what can an an extension do that doesn't touch some arbitrary code that gets run? it could add a line to the middle of a giant file right before you run and remove it immediately after. even if you run the whole editor in a sandbox you do eventually deploy that code somewhere, it can change something inconspicuous like a url in a dependency file that might not get caught in a pr
the only solution is to audit everything you install, know all the code you run, etc. ofc that's not reasonable, but idk what else there is. better automated virus check things maybe? identity verification for extension publishers? idk if there's an actual solution
Might be one thing AI tools will be super useful for, if it's possible to teach it what types of code are potentially malicious and able to automatically flag it for review AT LEAST.
-
Such a sack of shit that Mark H.
im glad his hand got chopped off
-
Nine VSCode extensions on Microsoft's Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero.
ExtensionTotal researcher Yuval Ronen has uncovered nine VSCode extensions published on Microsoft's portal on April 4, 2025.
The package names are:
- Discord Rich Presence for VS Code (by
Mark H) - 189K Installs - Rojo – Roblox Studio Sync (by
evaera) - 117K Installs - Solidity Compiler (by
VSCode Developer) - 1.3K Installs - Claude AI (by
Mark H) - Golang Compiler (by
Mark H) - ChatGPT Agent for VSCode (by
Mark H) - HTML Obfuscator (by
Mark H) - Python Obfuscator for VSCode (by
Mark H) - Rust Compiler for VSCode (by
Mark H)
shocker. an electron app that's terrible and full of malware.
- Discord Rich Presence for VS Code (by
-
HTML Obfuscator
Fucking what
Just that? An open source HTML minifier probably bundled with a miner.
-
Nine VSCode extensions on Microsoft's Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero.
ExtensionTotal researcher Yuval Ronen has uncovered nine VSCode extensions published on Microsoft's portal on April 4, 2025.
The package names are:
- Discord Rich Presence for VS Code (by
Mark H) - 189K Installs - Rojo – Roblox Studio Sync (by
evaera) - 117K Installs - Solidity Compiler (by
VSCode Developer) - 1.3K Installs - Claude AI (by
Mark H) - Golang Compiler (by
Mark H) - ChatGPT Agent for VSCode (by
Mark H) - HTML Obfuscator (by
Mark H) - Python Obfuscator for VSCode (by
Mark H) - Rust Compiler for VSCode (by
Mark H)
Kate >>> VSCode
- Discord Rich Presence for VS Code (by
-
Nine VSCode extensions on Microsoft's Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero.
ExtensionTotal researcher Yuval Ronen has uncovered nine VSCode extensions published on Microsoft's portal on April 4, 2025.
The package names are:
- Discord Rich Presence for VS Code (by
Mark H) - 189K Installs - Rojo – Roblox Studio Sync (by
evaera) - 117K Installs - Solidity Compiler (by
VSCode Developer) - 1.3K Installs - Claude AI (by
Mark H) - Golang Compiler (by
Mark H) - ChatGPT Agent for VSCode (by
Mark H) - HTML Obfuscator (by
Mark H) - Python Obfuscator for VSCode (by
Mark H) - Rust Compiler for VSCode (by
Mark H)
Can your Linux do that?
.
.
.
.
.
.
.
.
Yes, of couse it can, all of that and even more!
- Discord Rich Presence for VS Code (by
-
shocker. an electron app that's terrible and full of malware.
Don't think it has anything to do with electron. VSCode is just the largest editor that people install extensions for, so it's what makes the most sense to write malware for. If vim was more popular, I'm sure there would be more crypto mining extensions for that (I wonder how many there are? Surely more than zero?)
-
I can't imagine a sandbox would help. what can an an extension do that doesn't touch some arbitrary code that gets run? it could add a line to the middle of a giant file right before you run and remove it immediately after. even if you run the whole editor in a sandbox you do eventually deploy that code somewhere, it can change something inconspicuous like a url in a dependency file that might not get caught in a pr
the only solution is to audit everything you install, know all the code you run, etc. ofc that's not reasonable, but idk what else there is. better automated virus check things maybe? identity verification for extension publishers? idk if there's an actual solution
It seems so far Zed is cautious, providing api only for specific extensions - i.e. language servers and gui themes.
add a line ... right before you run it
I run stuff from the command line using a trusted build tool (Mill, in scala), or via a local server (where js is sandboxed).
But indeed, a tricky language server or AI tool (I don't use yet) might inject code where I don't inspect before running it.
That's a risk even with java-based IDEs - java has security permissions, not in js (vscode) or rust (zed), but are they applied...?
As for audits, a problem with vscode is the marketplace got too big, so many extensions, many lookalikes, nobody can check them all... -
Just that? An open source HTML minifier probably bundled with a miner.
Minification isn't the same as obfuscation, though. The only way I can think to obfuscate HTML would be to replace every element with a custom element.
-
Minification isn't the same as obfuscation, though. The only way I can think to obfuscate HTML would be to replace every element with a custom element.
Well, one could make up all kinds of tactics. Especially with the help of css styles inside the document? For example: add random crap, make it invisible. Make the real content hard to see or find in the document. Why though? I don't know! Now I am kind of curious to know what it did, if anything.
-
It seems so far Zed is cautious, providing api only for specific extensions - i.e. language servers and gui themes.
add a line ... right before you run it
I run stuff from the command line using a trusted build tool (Mill, in scala), or via a local server (where js is sandboxed).
But indeed, a tricky language server or AI tool (I don't use yet) might inject code where I don't inspect before running it.
That's a risk even with java-based IDEs - java has security permissions, not in js (vscode) or rust (zed), but are they applied...?
As for audits, a problem with vscode is the marketplace got too big, so many extensions, many lookalikes, nobody can check them all...well the language server plugins all run a binary language server out of sandbox so zed doesn't really do anything safer in particular there either. no ide has solutions, solutions don't really exist right now. it's not a problem of features of the language as much as it is features developers expect in extensions. I suppose there is a hypothetical "the extension wants to make this change to this file, approve" type flow like AI tools have now, but that sounds unpleasant to use. it still doesn't get around things like language servers being designed to run as standalone processes out of sandbox.
by audits I meant you individually go and read all the code of all the extensions you use. of course that's impossible too, but that was my point
-
Don't think it has anything to do with electron. VSCode is just the largest editor that people install extensions for, so it's what makes the most sense to write malware for. If vim was more popular, I'm sure there would be more crypto mining extensions for that (I wonder how many there are? Surely more than zero?)
It also helps its as easy as clicking a button to install an extension... and i wonder how many even bother checks the source of the extension?
-
Nine VSCode extensions on Microsoft's Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero.
ExtensionTotal researcher Yuval Ronen has uncovered nine VSCode extensions published on Microsoft's portal on April 4, 2025.
The package names are:
- Discord Rich Presence for VS Code (by
Mark H) - 189K Installs - Rojo – Roblox Studio Sync (by
evaera) - 117K Installs - Solidity Compiler (by
VSCode Developer) - 1.3K Installs - Claude AI (by
Mark H) - Golang Compiler (by
Mark H) - ChatGPT Agent for VSCode (by
Mark H) - HTML Obfuscator (by
Mark H) - Python Obfuscator for VSCode (by
Mark H) - Rust Compiler for VSCode (by
Mark H)
Let this be a lesson. We should never, ever, use software.
- Discord Rich Presence for VS Code (by
-
Let this be a lesson. We should never, ever, use software.
Software is the leading cause of all computer viruses.
