Hidden VSCode Extensions Deploy Crypto Miners: What Developers Must Know

Malicious VSCode Extensions Installing Crypto Miners Exposed

Developers using Microsoft Visual Studio Code (VSCode) have been warned to remove or avoid ten newly released extensions that trigger the installation of cryptocurrency miners.

ExtensionTotal researchers state that since the extensions were published on the VSCode Marketplace on April 4, up to one million installations may have occurred, though the exact number could be exaggerated.

Once installed, each extension downloads and runs a PowerShell loader that establishes persistence, disables security services, and contacts a remote command‑and‑control (C2) server to deploy the XMRig crypto miner.

This attack follows a series of attempts to embed malicious tools on sites such as GitHub and npm, targeting application and web developers.

DigitalDefence CEO Robert Beggs describes the incident as a “classic” third‑party supply‑chain attack that plants backdoors in applications.

He emphasizes that developers often disable security controls and ignore warnings, focusing solely on getting their code to run, which is why security leaders should ensure developers work on networks isolated from production.

Microsoft confirmed that the malicious extensions have been removed and the publisher blocked from the VS Marketplace, stating users need not take further action, though those who have already installed them should uninstall them.

ExtensionTotal notes a key indicator of the malicious extensions is the lack of domain ownership verification for publishers, a weakness in VSCode’s verification process.

The ten malicious extensions and their publishers are:

Prettier – VSCode Code (by Prettier)

Discord Rich Presence for VS Code (by Mark H)

Rojo – Roblox Studio Sync (by evaera)

Solidity Compiler (by VSCode developers)

Claude AI (by Mark H)

Golong Compiler (by Mark H)

ChatGPT Agent for VSCode (by Mark H)

HTML Obfuscator (by Mark H)

Python Obfuscator for VSCode (by Mark H)

Rust Compiler for VSCode (by Mark H)

Although published under different author names, the extensions share identical code and communicate with the same C2 servers to download and execute the same payload.

The extensions appear legitimate because after the malicious utility downloads, it attempts to install a legitimate extension, allowing users to receive the tool they expect.

The PowerShell script tries to run the malicious payload with administrator privileges; if it lacks permission, it creates a System32‑like directory and copies ComputerDefaults.exe there.

The script then creates a malicious DLL named MLANG.dll and attempts to execute it via ComputerDefaults.exe. It also contains base64‑encoded DLL and Trojan executables, which it decodes and writes as Launcher.exe in a directory excluded from Windows Defender monitoring. Launcher.exe contacts another C2 server (myaunet[.]su) to download and run the XMRig tool for mining Monero.

ExtensionTotal’s CTO Idan Dardikman notes that the VS Marketplace’s limited security controls and high exposure make it attractive to threat actors, and recommends developers use reputable publishers, limit installed extensions, and scan extensions before installation.