A threat actor named WhiteCobra has targeting VSCode, Cursor, and Windsurf users by planting 24 malicious extensions in the Visual Studio marketplace and the Open VSX registry.
The campaign is ongoing as the threat actor continuously uploads new malicious code to replace the extensions that are removed.
In a public post, core Ethereum developer Zak Cole described how his wallet was drained after using a seemingly legitimate extension (contractshark.solidity-lang) for Cursor code editor.
Cole explained that the extension featured all the signs of a benign product with professionally designed icon, a detailed description, and 54,000 downloads on OpenVSX, Cursor’s official registry.
WhiteCobra is the same group responsible for the $500,000 crypto-theft in July, through a fake extension for the Cursor editor, according to researchers at endpoint security provider Koi.
WhiteCobra attacks
VS (Visual Studio) Code, Cursor, and Windsurf are code editors supporting the VSIX extension – the default package format for extensions published on the VS Code Marketplace and the OpenVSX platform.
This cross-compatibility and the lack of proper submission review on these platforms make them ideal for attackers looking to run campaigns with a broad reach.
According to Koi Security, WhiteCobra creates malicious VSIX extensions that appear legitimate due to an overall carefully created description and inflated download count.
Koi Security discovered that the following extensions are part of the latest WhiteCobra campaign:
Open-VSX (Cursor/Windsurf)
ChainDevTools.solidity-pro
kilocode-ai.kilo-code
nomic-fdn.hardhat-solidity
oxc-vscode.oxc
juan-blanco.solidity
kineticsquid.solidity-ethereum-vsc
ETHFoundry.solidityethereum
JuanFBlanco.solidity-ai-ethereum
Ethereum.solidity-ethereum
juan-blanco.solidity
NomicFdn.hardhat-solidity
juan-blanco.vscode-solidity
nomic-foundation.hardhat-solidity
nomic-fdn.solidity-hardhat
Crypto-Extensions.solidity
Crypto-Extensions.SnowShsoNo
VS Code Marketplace
JuanFBlanco.awswhh
ETHFoundry.etherfoundrys
EllisonBrett.givingblankies
MarcusLockwood.wgbk
VitalikButerin-EthFoundation.blan-co
ShowSnowcrypto.SnowShoNo
Crypto-Extensions.SnowShsoNo
Rojo.rojo-roblox-vscode
Source: Koi Security
Wallet draining starts with executing the main file (extension.js) that is “nearly identical to the default “Hello World” boilerplate that comes with every VSCode extension template,” the researchers say.
However, there is a simple call that defers execution to a secondary script (prompt.js). A next-stage payload is downloaded from Claudflare Pages. The payload is platform-specific, with available versions for Windows, macOS on ARM, and macOS on Intel.
On Windows, a PowerShell script executes a Python script that executes shellcode to run the LummaStealer malware.
LummaStealer is an info-stealing malware that targets cryptocurrency wallet apps, web extensions, credentials stored in the web browsers, and messaging app data.
On macOS, the payload is a malicious Mach-O binary that executes locally to load an unknown malware family.
According to WhiteCobra’s internal playbook, the cybercriminals define revenue targets between $10,000 and $500,000, provide a command-and-control (C2) infrastructure setup guides, and describe social engineering and marketing promotion strategies.
Source: Koi Security
This confirms that the threat group operates in an organized fashion and is not deterred by exposure or takedowns. Koi Security says that WhiteCobra is capable of deploying a new campaign in less than three hours.
The researchers warn that better verification mechanisms are necessary to distinguish between malicious extensions and legitimate ones available in repositories, as ratings, download counts, and reviews can be manipulated to instill trust.
General recommendations when downloading coding extensions is to check for impersonation and typosquatting attempts, try to use only known projects with a good trust record. Typically, it is better to be suspicious of new projects that gathered a large number of downloads and positive reviews in a short amount of time.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
