April 7, 2025 By Bill Toulas
Nine VSCode extensions on Microsoft's Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero.
Microsoft VSCode is a popular code editor that allows users to install extensions to extend the program's functionality. These extensions can be downloaded from Microsoft's VSCode Marketplace, an online hub for developers to find and install add-ons.
ExtensionTotal researcher Yuval Ronen has uncovered nine VSCode extensions published on Microsoft's portal on April 4, 2025.
The package names are:
- Discord Rich Presence for VS Code (by `Mark H`) - 189K Installs
- Rojo – Roblox Studio Sync (by `evaera`) - 117K Installs
- Solidity Compiler (by `VSCode Developer`) - 1.3K Installs
- Claude AI (by `Mark H`)
- Golang Compiler (by `Mark H`)
- ChatGPT Agent for VSCode (by `Mark H`)
- HTML Obfuscator (by `Mark H`)
- Python Obfuscator for VSCode (by `Mark H`)
- Rust Compiler for VSCode (by `Mark H`)
The marketplace shows that the extensions have already amassed over 300,000 installs since April 4. These numbers are likely artificially inflated to give the extensions a sense of legitimacy and popularity to entice others to install them.
ExtensionTotal says it reported the malicious extensions to Microsoft, but they are still available at the time of writing.