Malicious VSCode Extensions Caught Mining Crypto with XMRig

Visual Studio Code, Microsoft’s open-source and freely available code editor, offers a marketplace for a vast array of extensions—most of which are developed by third parties. As a result, the platform is not immune to the presence of malicious plugins.

Recently, security researcher Yuval Ronen from ExtensionTotal uncovered ten newly identified malicious extensions masquerading as legitimate developer tools and AI utilities. Upon installation, these extensions secretly download and run XMRig, an open-source Monero cryptocurrency miner that exploits users’ CPU resources for unauthorized mining operations.

The names of the affected extensions are:

• Prettier — Code for VSCode (by prettier) – 955K Installs
• Discord Rich Presence for VS Code (by Mark H) – 189K Installs
• Rojo — Roblox Studio Sync (by evaera) – 117K Installs
• Solidity Compiler (by VSCode Developer) – 1.3K Installs
• Claude AI (by Mark H)
• Golang Compiler (by Mark H)
• ChatGPT Agent for VSCode (by Mark H)
• HTML Obfuscator (by Mark H)
• Python Obfuscator for VSCode (by Mark H)
• Rust Compiler for VSCode (by Mark H)

These findings have been reported to Microsoft. However, possibly due to caution stemming from past instances of false positives, the extensions remain available for download. Should Microsoft confirm the malicious nature of the extensions, they are expected to delist them, ban the associated developer accounts, and remotely disable the extensions already installed by users.

Technical analysis reveals that once activated, the extensions connect to https://asdf11[.]xyz/—a conspicuously suspicious domain—to download and execute a PowerShell script. Interestingly, the extensions retain some functional features, allowing them to masquerade as legitimate tools, thereby delaying user suspicion.

The script creates a scheduled task named OnedriveStartup—disguising itself as a legitimate OneDrive startup process—and modifies the system registry to ensure a component named Launcher.exe runs automatically upon system boot.

Subsequently, the malware disables critical services like Windows Update, and adds its directory to Microsoft Defender’s exclusion list, preventing future detections even if the antivirus definitions are updated.

Finally, the script fetches the XMRig mining payload from myaunet[.]su. Users may notice signs such as unusually high CPU usage or loud fan noise. If these symptoms appear, it’s essential to check for the presence of the aforementioned extensions in VS Code. However, simply removing the extensions may not suffice—users are advised to run a full system scan using a third-party antivirus solution, as Microsoft Defender might overlook the threat due to the modified exclusion list.

Related Posts:

• Stealthy Cyberattack Turns Visual Studio Code into a Remote Access Tool
• Beware of Malicious Extensions: Researcher Exposes VSCode Marketplace Threats
• Malicious VSCode extensions steal PII and enable backdoors
• Log4j Campaign Exploited to Deploy XMRig Cryptominer
• Phantom Goblin Malware: Stealthy Attacks via VSCode Tunnels