A sophisticated cryptomining campaign targeting Visual Studio Code (VS Code) users has been uncovered, involving malicious extensions that mimic legitimate developer tools.
These extensions, released after April 4, 2025, were published under three different author names, most notably “Mark H,” and have collectively amassed over one million installations, according to a report by ExtensionTotal.
The attackers used these fake extensions as an entry point for a multi-stage attack that included disabling Windows security, gaining persistence, and deploying the XMRig cryptominer for mining Monero cryptocurrency.
Malicious Extensions and Artificially Inflated Downloads
The campaign leveraged ten malicious VS Code extensions, including “Prettier Code for VSCode” (955,000 installs), “Discord Rich Presence for VS Code” (189,000 installs), and “Rojo Roblox Studio Sync” (117,000 installs).
The unusually high install counts for these extensions suggest artificial inflation, likely to enhance credibility and reduce suspicion by making them appear widely trusted.
The extensions masqueraded as popular tools while secretly dropping and executing a PowerShell script to initiate the attack.
The malicious extensions downloaded a PowerShell loader from a remote command-and-control (C2) server (https://asdf11[.]xyz).
This script performed multiple malicious actions while attempting to install the legitimate extensions they impersonated to avoid detection.
Despite the use of different author aliases, the extensions all shared similar code and communicated with the same C2 infrastructure, indicating a coordinated campaign.
The Multi-Stage Payload and Attack Progression
The attack followed a sophisticated multi-stage payload flow, starting with the PowerShell loader.
The loader disabled Windows Defender and other security mechanisms, set up persistence through the creation of scheduled tasks and registry entries, and attempted privilege escalation.
For persistence, it disguised a scheduled task as “OneDriveStartup” to evade detection.
It also excluded malicious directories from Windows Defender scans to ensure uninterrupted execution of its payloads.
For execution, the loader deployed a Trojan executable (Launcher.exe) that established communication with another C2 domain (myaunet[.]su) to download and install the XMRig cryptominer.
According to the Report, this miner then silently operated in the background, consuming system resources to mine cryptocurrency for the attackers.
The campaign’s defense evasion techniques included disabling Windows Update services and modifying the registry to block automatic updates.
Furthermore, the PowerShell script embedded its malicious payloads, including DLLs and executables, within its code as base64-encoded strings, which were decoded and executed by the loader.
This attack is yet another demonstration of the increasing sophistication and frequency of supply chain attacks within the developer ecosystem.
By targeting widely used platforms such as the VS Code extension marketplace, threat actors can exploit trusted environments to execute their malicious operations with minimal suspicion.
The malicious extensions in this campaign were discovered to have been published on the same day as their associated C2 domain (April 4, 2025).
This coordinated timeline highlights the attackers’ careful planning and execution.
The rapid growth of extension ecosystems like VS Code’s has made them attractive targets for exploitation, emphasizing the need for enhanced vetting mechanisms and security awareness within developer communities.
This cryptomining campaign underscores the critical importance of maintaining vigilance when installing extensions and tools, even from seemingly trusted marketplaces.
Developers are encouraged to carefully review the source and permissions of extensions they install and to leverage tools like ExtensionTotal to detect malicious or risky extensions before installation.
Supply chain attacks such as these highlight the necessity of strengthening security protocols within development environments to protect against evolving threats.
Key Indicators of Compromise (IOCs)
- C2 Domains: asdf11[.]xyz, myaunet[.]su
- Malicious File Hashes: Launcher.exe (2d17f…), XMRig.exe (d2fcf…), PowerShell scripts (bb757c…, 0c0536…), DLLs (13db40…, 515e6d…)
The discovery of this campaign serves as a stark reminder of the vulnerabilities inherent in the modern software supply chain, urging both developers and platform providers to adopt stricter security practices to mitigate potential threats.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
 users has been uncovered, involving malicious extensions.){kind=link}