Hackers have discovered two new malicious extensions on Microsoft Visual Studio Code (VS Code) Marketplace that can steal sensitive information from developer machines. The extensions pose as premium dark themes and AI-powered coding assistants but secretly download additional payloads, take screenshots, and siphon data.
The malicious extensions, “BigBlack.bitcoin-black” and “BigBlack.codo-ai,” were removed by Microsoft on December 5, 2025, and December 8, 2025, respectively. Koi Security’s Idan Dardikman warned that the extensions can steal WiFi passwords, clipboard contents, browser sessions, and more.
The attackers use DLL hijacking to load a rogue DLL that gathers system information, including desktop screenshots, stored Wi-Fi credentials, and detailed system information. The malicious extensions also launch Google Chrome and Microsoft Edge in headless mode to grab stored cookies and hijack user sessions.
This is not an isolated incident. Researchers have discovered similar malicious packages on other ecosystems, including Go, npm, and Rust. These packages can exfiltrate sensitive data, such as WiFi passwords and clipboard contents, to remote servers.
To avoid falling victim to these attacks, developers should regularly update their software and be cautious when installing new extensions.
Source: https://thehackernews.com/2025/12/researchers-find-malicious-vs-code-go.html