- Researchers found 24 malicious extensions in Visual Studio Marketplace and Open VSX Registry deploying Lumma Stealer and other malware
- The attack targeted cryptocurrency holders and developers, with compromised extensions quickly replaced after removal
- Open-source extension platforms remain attractive targets due to their popularity and ease of malware distribution
Cybercriminals are once again targeting cryptocurrency holders and developers, by smuggling infostealers into open-source code repositories.
Last week, BleepingComputer reported that researchers discovered two dozen malicious extensions in the Visual Studio marketplace and the Open VSX registry.
The Visual Studio Marketplace and the Open VSX Registry are both platforms for distributing extensions, with the former being Microsoft-owned and used in Visual Studio and Visual Studio Code, while the latter is a vendor-neutral, open-source alternative designed for VS Code-compatible editors like Eclipse Theia, Gitpod, SAP Business Application Studio, and others.
WhiteCobra targeting software devs
The attack was spotted by cybersecurity researchers Koi, as well as one of the victims - a highly skilled, experienced Ethereum editor Zak Cole.
The researchers determined that there were at least 24 malicious extensions on the platforms, and those that were removed were quickly replaced with new ones. The extensions, when installed on a Windows device, would deploy Lumma Stealer on the compromised computers.
Lumma is a known infostealer that is capable of grabbing passwords and payment information stored in the browser, exfiltrating sensitive files, session cookies, and cryptocurrency wallet information.
On Macs, the payload comes in the form of a Mach-O binary that executes locally and loads an unfamiliar piece of malware.
The researchers are calling the threat actor WhiteCobra.
Open-source software repositories are popular targets for cybercriminals, since they enable malware distribution in a myriad of ways, especially on popular platforms such as Visual Studio Marketplace and the Open VSX Registry. The former, for example, is extremely popular among developers using Visual Studio and VS Code, as it hosts more than 48,000 extensions that are tightly integrated with Microsoft products.
Open VSX Registry, on the other hand, is gaining momentum, especially in open-source and enterprise environments that use VS Code-compatible editors like Eclipse Theia, Gitpod, and SAP Business Application Studio. It hosts nearly 3,000 extensions from more than 1,500 publishers, with more than two million monthly downloads.
Via BleepingComputer
You might also like
- Microsoft warns about a new phishing campaign impersonating Booking.com
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
