Two dozen nefarious extensions have been uploaded by the threat actor WhiteCobra to the Visual Studio marketplace and Open VSX registry in a bid to compromise users of the VSCode, Cursor, and Windsurf code editors, according to BleepingComputer.
Executing the extensions' primary file, which provides the same message as other VSCode extension, results in the running of a secondary script that launches a platform-specific payload, a report from Koi Security showed. While infection of a Windows system leads to the injection of the LummaStealer malware, which compromises not only cryptocurrency wallet apps and browser-stored credentials, but also other web extensions and messaging app details, breaches of macOS systems result in the delivery of the illicit Mach-O binary loading an unknown malware.
Additional findings revealed WhiteCobra's highly organized nature, as well as its ability to launch campaigns in under three hours. Such findings should prompt improved verification processes in code marketplaces, as well as increased vigilance among extension users.
Executing the extensions' primary file, which provides the same message as other VSCode extension, results in the running of a secondary script that launches a platform-specific payload, a report from Koi Security showed. While infection of a Windows system leads to the injection of the LummaStealer malware, which compromises not only cryptocurrency wallet apps and browser-stored credentials, but also other web extensions and messaging app details, breaches of macOS systems result in the delivery of the illicit Mach-O binary loading an unknown malware.
Additional findings revealed WhiteCobra's highly organized nature, as well as its ability to launch campaigns in under three hours. Such findings should prompt improved verification processes in code marketplaces, as well as increased vigilance among extension users.





