A threats named Whitcobra have targeted the VSCODE, Cursor and Windsurf users by putting 24 malicious extensions in the visual studio marketplace and open Vsx registry.
The campaign is going on as the danger actor has uploaded a new malicious code to change the continuous deleted extensions.
In a public post, the core atherium developer Zak Cole explained how their wallet was dried after using legitimate expansion (Contract.) For cursor code editor.
.png)
Cole reported that all indications of a benign product were depicted with a detailed description designed icon, a detailed description and 54,000 downloads on the official registry of the cursor.
According to the researchers of the endpoint security provider Koi, Whitcobra is the same group for $ 500,000 crypto-chori in July, through a fake expansion for the cursor editor, according to the researchers of Koi.
Whitcobra attack
VS (Visual Studios) Code, Cursor, and Windsurf Code are the code editor that support VSIX extensions – VS code is a default package format for extension published on marketplace and OpenVSX platforms.
This makes the ideal for the attackers for cross-compatibility and the lack of proper submission reviews on these platforms with a comprehensive access.
According to any security, the whitcobra creates malicious Vsix extensions that appear valid due to the overall details and the bloated download calculations.
KOI security found that the following extensions are part of the latest Whitcobra campaign:
Open-VSX (Cursor/Windsurf)
- Cendevatoles
- K.C.Cod-e. Callo-Code
- Namik- FDN.Hardhat-Solity
- OxC-Vscode.Oxc
- Juan-Blanc. Solidity
- kineticsquid.solidity-layereum-vsc
- Ethfoundry.solidityethereum
- Juanfblancs.Solidity-e-Etherium
- Atherium.
- Juan-Blanc. Solidity
- Nomicfdn.hardhat-solity
- Juan-Blanc. Vskode-Society
- Nominee-founder.
- Namik-FDN. Solidity-Hardhat
- Crypto-Extension.Solidity
- Crypto -adpentions.snowshono
Vs code market
- Juanfblanco.awswhh
- Ethfoundry.etherfoundrys
- Ellisonbrett.Givingblankies
- Marcuslockwood.wgbk
- Vitalikbuterin-ethfoundation.blan-co
- Showsnoowsnowcrypto.snowshono
- Crypto -adpentions.snowshono
- Rojo.rojo-Roblox-Vscode
Source: No Security
The wallet starts with the execution of the main file (Extension.JS), which is similar to the “Default” Hello Worldplate that comes with every VSCODE Extension Template, “Researchers Tell,
However, there is a simple call that defines execution for a secondary script (Prompt.JS). The next step is downloaded from the payload claudflare pages. The payload is platform-specific, which has a version available for Windows, MacoS on ARM and MacoS on Intel.
On Windows, a Powershell script executes a python script that executes shellcode to run lummastealer malware.
Lummastealer is a information-diligent malware that targets cryptocurrency wallet apps, web extensions, credentials stored in web browsers and messaging app data.
On Macos, the payload is a malicious Mach-o binary that executes an unknown malware family locally.
According to Whitcobra’s internal playbook, cyber criminal defines revenue goals between $ 10,000 and $ 500,000, providing a command-end-control (C2) infrastructure setup guide, and describe social engineering and marketing enrichment strategies.
Source: No Security
This confirms that the danger group operates in an organized fashion and is not intimidated by exposure or techdown. No security says that Whitcobra is capable of deploying a new campaign in less than three hours.
Researchers have warned that the better verification system is necessary to differentiate between malicious extensions and legitimate people available in the repository, ratings, download counts and reviews can be manipulated to the trust.
General recommendations are to check the copy of copying and typosctering efforts when downloading the coding extensions, trying to use only known projects with a good trust record. Typically, it is better to suspect new projects, who collected a large number of downloads and collected positive reviews in a short time.
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
