Application security, DevSecOps

Illicit extensions target VSCode, Cursor, Windsurf

Two dozen nefarious extensions have been uploaded by the threat actor WhiteCobra to the Visual Studio marketplace and Open VSX registry in a bid to compromise users of the VSCode, Cursor, and Windsurf code editors, according to BleepingComputer.

Executing the extensions' primary file, which provides the same message as other VSCode extension, results in the running of a secondary script that launches a platform-specific payload, a report from Koi Security showed. While infection of a Windows system leads to the injection of the LummaStealer malware, which compromises not only cryptocurrency wallet apps and browser-stored credentials, but also other web extensions and messaging app details, breaches of macOS systems result in the delivery of the illicit Mach-O binary loading an unknown malware.

Additional findings revealed WhiteCobra's highly organized nature, as well as its ability to launch campaigns in under three hours. Such findings should prompt improved verification processes in code marketplaces, as well as increased vigilance among extension users.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds