Article Details

'WhiteCobra' floods VSCode market with crypto-stealing extensions. A threat actor named WhiteCobra has targeting VSCode, Cursor, and Windsurf users by planting 24 malicious extensions in the Visual Studio marketplace and the Open VSX registry. The campaign is ongoing as the threat actor continuously uploads new malicious code to replace the extensions that are removed. In a public post, core Ethereum developer Zak Cole described how his wallet was drained after using a seemingly legitimate extension (contractshark.solidity-lang) for Cursor code editor. Cole explained that the extension featured all the signs of a benign product with professionally designed icon, a detailed description, and 54,000 downloads on OpenVSX, Cursor's official registry. WhiteCobra is the same group responsible for the $500,000 crypto-theft in July, through a fake extension for the Cursor editor, according to researchers at endpoint security provider Koi. WhiteCobra attacks VS (Visual Studio) Code, Cursor, and Windsurf are code editors supporting the VSIX extension - the default package format for extensions published on the VS Code Marketplace and the OpenVSX platform. This cross-compatibility and the lack of proper submission review on these platforms make them ideal for attackers looking to run campaigns with a broad reach. According to Koi Security, WhiteCobra creates malicious VSIX extensions that appear legitimate due to an overall carefully created description and inflated download count. Koi Security discovered that the following extensions are part of the latest WhiteCobra campaign: Open-VSX (Cursor/Windsurf) VS Code Marketplace Wallet draining starts with executing the main file (extension.js) that is "nearly identical to the default “Hello World” boilerplate that comes with every VSCode extension template," the researchers say. However, there is a simple call that defers execution to a secondary script (prompt.js). A next-stage payload is downloaded from Claudflare Pages. The payload is platform-specific, with available versions for Windows, macOS on ARM, and macOS on Intel. On Windows, a PowerShell script executes a Python script that executes shellcode to run the LummaStealer malware. LummaStealer is an info-stealing malware that targets cryptocurrency wallet apps, web extensions, credentials stored in the web browsers, and messaging app data. On macOS, the payload is a malicious Mach-O binary that executes locally to load an unknown malware family. According to WhiteCobra's internal playbook, the cybercriminals define revenue targets between $10,000 and $500,000, provide a command-and-control (C2) infrastructure setup guides, and describe social engineering and marketing promotion strategies. This confirms that the threat group operates in an organized fashion and is not deterred by exposure or takedowns. Koi Security says that WhiteCobra is capable of deploying a new campaign in less than three hours. The researchers warn that better verification mechanisms are necessary to distinguish between malicious extensions and legitimate ones available in repositories, as ratings, download counts, and reviews can be manipulated to instill trust. General recommendations when downloading coding extensions is to check for impersonation and typosquatting attempts, try to use only known projects with a good trust record. Typically, it is better to be suspicious of new projects that gathered a large number of downloads and positive reviews in a short amount of time. Picus Blue Report 2025 is Here: 2X increase in password cracking 46% of environments had passwords cracked, nearly doubling from 25% last year. Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.