VSCode Marketplace Extensions Found Stealing Source Code and Login Credentials

Security researchers have uncovered at least 12 malicious extensions in the Visual Studio Code marketplace that steal developers’ source code, sensitive credentials, and establish persistent backdoors on infected systems.

Four of these malicious plugins remain active and available for download, posing an ongoing threat to the developer community worldwide.

The compromised extensions include Christine-devops1234.scraper, Kodease.fyp-23-s2-08, GuyNachshon.cxcx123, and sahil92552.CBE-456, all of which have not yet been removed from the marketplace.

These malicious components target critical developer assets, including machine IDs, project source code, search queries, chat prompts, clipboard contents, and even screenshots captured during development work.

Sophisticated Data Exfiltration Techniques

The Christine-devops1234.scraper extension demonstrates particularly aggressive behavior, transmitting comprehensive user data to an attacker-controlled server at IP address 35.164.75.62:8080.

This includes complete source code file contents, search queries within the IDE, and AI chat interactions that may contain proprietary business logic or confidential project details.

The Kodease.fyp-23-s2-08 plugin employs a more sophisticated approach by routing stolen code through Ngrok tunneling services to the attacker’s infrastructure.

Analysis of the injected code reveals that the extension intercepts selected code snippets, normalizes them by removing whitespace, and transmits them via HTTPS POST requests disguised as machine learning comment generation features.

Meanwhile, sahil92552.CBE-456 masquerades as a code analysis tool while secretly exfiltrating source code to compromised servers during routine development activities.

Several extensions establish persistent backdoors that enable remote code execution. The teste123444212.teste123444212 plugin creates a continuous connection to an AWS EC2 instance, piping shell input and output directly to attacker-controlled infrastructure.

Similarly, ToToRoManComp.diff-tool-vsc deploys a Base64-encoded Perl reverse shell that connects to IP 89.104.69.35 on port 445, granting attackers complete control over victim machines.

The Deriv-AI.deriv-ai extension takes malicious activity further by downloading and executing the “nightpaw” trojan from attacker servers, enabling comprehensive system reconnaissance and persistent remote access.

Additional plugins like BX-Dev.Blackstone-DLP captures screenshots and monitors clipboard activity, exfiltrating this data to attacker-controlled CloudFront distribution networks.

According to research published on arXiv, approximately 5.6 percent of the 52,880 analyzed VSCode extensions exhibit suspicious behavior, with these compromised plugins collectively totaling over 613 million installations.

The VKTeam.ru extension specifically targets corporate environments by checking for VK.com domain membership before stealing Windows domain credentials, usernames, hostnames, and system architecture information.

Enterprise security teams must immediately audit installed VSCode extensions and remove any that match the identified malicious components to prevent ongoing data theft and system compromise.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post VSCode Marketplace Extensions Found Stealing Source Code and Login Credentials appeared first on Cyber Security News.