A threat group is dropping two dozen malicious extensions into the VSCode and Open VSX marketplaces, targeting developers using the VSCode, Cursor, and Windsurf source code editing tools with the goal of draining cryptocurrency wallets.
Researchers with security firm Koi Security have been tracking WhiteCobra’s activities for more than a year as the bad actors have continued to push new malicious extensions – on a weekly basis – as others are being detected and taken down.
Koi security researcher Yuval Ronen wrote in a report over the weekend that WhiteCobra was behind the theft in June of $500,000 in crypto from a Russian blockchain developer in an incident reported by threat researchers with cybersecurity vendor Kaspersky. In August, Zak Cole, an Ethereum developer, reported in a post on X (formerly Twitter) that his crypto wallet was drained.
“I’ve been in crypto for over 10 years and I’ve Never been hacked. Perfect OpSec record,” Cole wrote. “Yesterday, my wallet was drained by a malicious @cursor_ai extension for the first time. If it can happen to me, it can happen to you.”
Koi’s Ronen noted that Cole “is not just any victim, he’s a security professional with a decade of security experience, hinting on the level of sophistication these attacks have achieved.” He wrote that Koi had reported about a new wave of malicious extensions that have since been taken down, but that “WhiteCobra continues to upload new malicious extensions on a weekly basis, including just this week. Making [Cole] far less likely from being the last victim.”
‘Shocking Revenue Projections’
The bad actors can spin up a new campaign in fewer than three hours, including packaging the malicious extension, promoting it, and profiting from it.
Koi researchers got hold of WhiteCobra’s playbook and a detailed deployment plan includes information about the group’s operation, infrastructure, promotional strategies, and what Ronen called its “shocking revenue projections.”
The threat group’s campaign illustrates an expanding gap between the sophistication of attackers and the defenses put up by developers. According to the deployment plan, the attackers expect they can make $10,000 an hour targeting “high value” crypto wallets, and as much as $500,000 an hour with widespread infections hitting “whale wallets.”
“Threat actors like WhiteCobra are operating with industrialized precision, while everyday have almost no reliable way to tell safe tools from malicious ones,” Ronen wrote. “Marketplace ratings, download counts, and even official reviews can all be manipulated, leaving even seasoned professionals vulnerable. Without better mechanisms for trust and verification, the advantage remains firmly on the side of the attackers.”
It Starts with Malicious VSIX Extensions
A campaign starts with the creation of malicious VSIX extensions, which VSCode, Cursor, and Windsurf all support and are published on the targeted marketplaces. The bad actors upload them to Open VSX or VSCode, use social media like X and bots to promote them – the playbook includes pre-written social media templates – and use automated scripts to create 50,000 fake downloads to give the VSIX extensions credibility with developers.
“By faking massive numbers of downloads, they continue to trick developers, and sometimes even marketplace review systems, into thinking their extensions are safe, popular, and vetted,” Ronen wrote. “To a casual observer, 100K installs signal legitimacy. That’s exactly what they’re counting on.”
WhiteCobra uses the malicious extension’s primary file – “extension.js” – that uses the same “Hello World” boilerplate that’s included in every VSCode extension template. However, there is an additional functionality in the call for “ShowPrompt,” which hands off executive to the prompt.js file, which is the start of the attack chain.
“By isolating malicious behavior in a secondary script, the threat actor avoids triggering red flags during static reviews or automated scans that only check the primary file,” Ronen wrote.
Enter LummaStealer Malware
The next stage is downloaded from Cloudflare Pages and is specific to particular platforms, including Windows. With Windows, a PowerShell script downloads and executes a Python script that executes shellcode, which then executes LummaStealer, a malware popular among threat groups.
For WhiteCobra, LummaStealer not only grabs crypto wallet data from the system, but also information about connection services like AnyDesk, VPNs, and VNC, cloud infrastructure, messaging platforms, password managers, and wallet and password management browser extensions.
The malware also communicates with two command-and-control (C2) servers.
“WhiteCobra’s leaked playbook reveals more than just their tactics,” Ronen wrote. “It exposes the industrialization of extension-based attacks. With documented processes, automated tools, and revenue projections treating victims as mere numbers, this isn’t hacking; it’s a business operation.”
