Imagine this: You're a developer, diligently crafting code, when suddenly, your digital world is turned upside down. Your code, your emails, even your private Slack messages – all potentially exposed. This is the harsh reality revealed by recent findings of malicious packages lurking within popular developer tools.
Cybersecurity researchers have uncovered a disturbing trend: malicious extensions and packages are being disguised as legitimate tools, designed to steal sensitive data from unsuspecting developers. These threats are not just limited to one platform; they're spreading across various ecosystems, including Microsoft Visual Studio Code (VS Code), Go, npm, and Rust.
Let's dive into the specifics, starting with VS Code. Researchers discovered two malicious extensions in the VS Code Marketplace. These extensions, deceptively named to appear as a premium dark theme and an AI-powered coding assistant, were, in fact, designed to infect developer machines with stealer malware. Once installed, these extensions would download additional payloads, capture screenshots, and siphon off sensitive data, sending it all to an attacker-controlled server.
The extensions in question were:
-
BigBlack.bitcoin-black(16 installs) - Removed by Microsoft on December 5, 2025 -
BigBlack.codo-ai(25 installs) - Removed by Microsoft on December 8, 2025
Microsoft also removed a third package, BigBlack.mrbigblacktheme, from the same publisher due to malware.
While BigBlack.bitcoin-black activated on every VS Code action, Codo AI cleverly embedded its malicious functionality within a working tool, making it harder to detect. The earlier versions of these extensions could execute a PowerShell script to download a password-protected ZIP archive from an external server and extract the main payload using multiple methods. Later iterations hid the PowerShell window and streamlined the process, using a batch script and a curl command to download an executable and a DLL. This executable, disguised as a legitimate Lightshot binary, used DLL hijacking to load a rogue DLL (Lightshot.dll), which then harvested a wealth of information, including clipboard contents, installed apps, running processes, desktop screenshots, stored Wi-Fi credentials, and detailed system information. It also launched Google Chrome and Microsoft Edge in headless mode to steal stored cookies and hijack user sessions.
But here's where it gets controversial: the scope of these attacks extends far beyond VS Code. Socket has identified malicious packages across the Go, npm, and Rust ecosystems, each designed to harvest sensitive data.
- In the Go ecosystem, packages like
github[.]com/bpoorman/uuidandgithub[.]com/bpoorman/uidhave been around since 2021. These packages typosquat trusted UUID libraries (github[.]com/google/uuidandgithub[.]com/pborman/uuid) to exfiltrate data to a paste site when an application calls a function named "valid." - A set of 420 unique npm packages, published by a likely French-speaking threat actor, follow a consistent naming pattern including "elf-stats-*," some of which contain code to execute a reverse shell and exfiltrate files to a Pipedream endpoint.
- A Rust crate named
finch-rust, impersonating the legitimate bioinformatics tool "finch," serves as a loader for a malicious payload through a credential-stealing package known assha-rustwhen a developer uses the library's sketch serialization functionality.
"Finch-rust acts as a malware loader; it contains mostly legitimate code copied from the legitimate finch package but includes a single malicious line that loads and executes the sha-rust payload," said Socket researcher Kush Pandya. "This separation of concerns makes detection harder: finch-rust looks benign in isolation, while sha-rust contains the actual malware."
And this is the part most people miss: The sophistication of these attacks is constantly evolving. Attackers are becoming more adept at disguising their malicious code, making it increasingly difficult for developers to identify and avoid these threats.
What do you think? Are you surprised by the breadth of these attacks? Have you ever encountered a suspicious package or extension? Share your thoughts and experiences in the comments below – let's start a conversation about staying safe in the digital world!
