VSCode Extensions Infect Windows Systems with Crypto Miners

Recently, nine malicious extensions were discovered and removed from the Visual Studio Code Marketplace. These extensions were posing as legitimate tools but were actually infecting programmers’ systems with cryptocurrency mining tools. Visual Studio Code, or VSCode, is a popular code editor developed by Microsoft. It allows users to enhance its capabilities by installing extensions, similar to how we can add extensions to our web browsers. These extensions can be downloaded from the VSCode Marketplace, which offers a collection of useful extensions that programmers can also share with the community.

However, the open nature of the marketplace means that anyone can submit extensions, leaving room for malicious users to distribute harmful content. Yuval Ronen, a researcher, recently uncovered nine extensions of this nature on the platform. Let’s take a look at the list of these malicious extensions:

1. Discord Rich Presence for VS Code (by `Mark H`)
2. Rojo – Roblox Studio Sync (by `evaera`)
3. Solidity Compiler (by `VSCode Developer`)
4. Claude AI (by `Mark H`)
5. Golang Compiler (by `Mark H`)
6. ChatGPT Agent for VSCode (by `Mark H`)
7. HTML Obfuscator (by `Mark H`)
8. Python Obfuscator for VSCode (by `Mark H`)
9. Rust Compiler for VSCode (by `Mark H`)

These extensions were published on Microsoft’s platform on April 4, 2025. Some of them had already amassed over 189,000 installations, with a combined total of 300,000 installations since April 4th.

While these numbers may seem impressive, it is believed that they were artificially inflated to give the extensions an air of legitimacy. After all, such high installation numbers within a short period of time can make it challenging to determine the exact number of potentially affected systems.

Once installed, these extensions would proceed to install a miner called XMRig. This miner would exploit the victims’ system resources to mine various cryptocurrencies, with the gains being sent to the attackers’ wallets. But that’s not all. The extensions also contained code snippets designed to perform other malicious actions, such as disabling security systems, finding ways to remain undetected, or elevating privileges.

Fortunately, Microsoft acted swiftly and removed these extensions once they were discovered. However, users who may have installed them should manually remove them from their systems and perform a thorough malware scan to ensure their devices are clean.

It’s disheartening to see malicious actors exploiting platforms like the VSCode Marketplace, which is meant to foster collaboration and enhance productivity for developers. This incident serves as a reminder for all of us to remain vigilant and exercise caution when installing extensions or any third-party software. Always verify the source and read reviews before adding new tools to your coding arsenal.

In the end, it’s the collective responsibility of the community to report suspicious extensions and help maintain a safe and secure environment for all programmers. Stay safe out there, fellow coders!

Background Information

---

About Microsoft:

Microsoft, founded by Bill Gates and Paul Allen in 1975 in Redmond, Washington, USA, is a technology giant known for its wide range of software products, including the Windows operating system, Office productivity suite, and cloud services like Azure. Microsoft also manufactures hardware, such as the Surface line of laptops and tablets, Xbox gaming consoles, and accessories.

  

Latest Articles about Microsoft