A recent and ongoing threat campaign from a group called WhiteCobra has been targeting users of popular code editors like VSCode, Cursor, and Windsurf by planting malicious extensions in the Visual Studio Marketplace and the Open VSX registry. The attacks are particularly concerning because the malicious extensions are made to appear legitimate with professional-looking icons, detailed descriptions, and artificially inflated download counts. This approach has proven successful, with one core Ethereum developer, Zak Cole, publicly sharing that his wallet was drained after he used a seemingly benign extension called contractshark.solidity-lang. The WhiteCobra group is also believed to be responsible for a separate $500,000 crypto theft in July that used a fake extension for the Cursor editor. The fact that these code editors all support the VSIX extension format—and that their platforms lack proper submission reviews—makes them an ideal target for campaigns that aim for a broad reach.
The WhiteCobra attacks begin with a malicious VSIX extension that appears harmless. When a user installs the extension, the main file, extension.js, executes. This file looks almost identical to the default “Hello World” template for a VSCode extension, but it includes a simple call that defers execution to a secondary script, prompt.js. This second script then downloads a platform-specific payload from Cloudflare Pages, with versions available for Windows, macOS on ARM, and macOS on Intel. This multi-platform approach highlights the group’s effort to maximize their potential targets.
On Windows systems, the attack progresses with a PowerShell script that executes a Python script. This Python script, in turn, runs shellcode that delivers the final malicious payload: the LummaStealer malware. LummaStealer is a notorious info-stealing malware designed to target a wide range of sensitive data, including cryptocurrency wallet apps, web browser extensions, stored credentials, and data from messaging apps. Its ability to compromise multiple types of information makes it a potent threat to a user’s digital security.
Similarly, on macOS, the downloaded payload is a malicious Mach-O binary that executes locally, loading an unknown family of malware. The complexity and sophistication of these attacks suggest a well-organized and resourceful threat group. Researchers have even uncovered WhiteCobra’s internal playbook, which details their revenue targets—ranging from $10,000 to $500,000—and includes guides for setting up their command-and-control infrastructure. The playbook also outlines their social engineering and marketing promotion strategies, revealing the group’s systematic and professional approach to cybercrime.
The ongoing nature of this campaign, coupled with the group’s ability to quickly upload new malicious code after previous extensions are removed, poses a significant and persistent risk to the developer community. The fact that WhiteCobra has a clearly defined playbook shows that this group is a serious and organized threat, and their ongoing success underscores the need for greater security measures on extension marketplaces and increased vigilance from users. It’s crucial for developers and other users to exercise caution when installing any extension, even those with high download counts or professional-looking descriptions.
Reference:
