An unknown threat actor is deploying a large-scale, sophisticated cryptojacking campaign through a series of malicious extensions in Visual Studio Code, Microsoft’s lightweight source-code editor, according to a group of security researchers.

In a new report shared exclusively with Infosecurity, researchers from newly founded cybersecurity startup ExtensionTotal observed that at least nine extensions recently uploaded in the VS Code marketplace were malicious.

These extensions were all published after April 4 by three different authors, mainly one known as ‘Mark H.’ Over 300,000 installations were observed in just three days. The most popular, ‘Discord Rich Presence,’ gained 189,000 installs alone.

According to Itay Kruk, ExtensionTotal co-founder and a former product manager at Zscaler, the extensions are fake VS Code extensions and all nine are part of the same malicious campaign, serving as initial access vectors in a sophisticated multi-stage cryptomining campaign.

The malicious extensions are still active at the time of writing.

A Sophisticated Cryptojacking Campaign

Seven of the malicious extensions have been uploaded by ‘Mark H,’ including:

Discord Rich Presence for VS Code

Claude AI

Golang Compiler

Rust Compiler for VSCode

ChatGPT Agent for VSCode

HTNL Obfuscator for VSCode

Python Obfuscator for VSCode

Another, ‘Rojo - Roblox Studio Sync,’ was uploaded by ‘evaera’ and has been downloaded 117,000 times.

The final one, ‘Solidity Compiler,’ published by VSCode Developer, has gained 1300 installs.

“Reaching these numbers in an unusually short period of time strongly suggests that the install counts were artificially inflated, likely in an attempt to establish credibility and reduce user suspicion by making the extensions appear widely trusted and actively used,” wrote Yuval Ronen, Security Researcher at ExtensionTotal and author of the report.

Kruk said that the artificially inflated install counts highlights a concerning vulnerability in the extension ecosystem's trust metrics that attackers are actively exploiting.

Once installed, all nine extensions secretly download and execute a PowerShell script that disables Windows security, establishes persistence through scheduled tasks and installs an XMRig cryptominer from a remote command-and-control (C2) server.

XMRig is a popular, open-source cryptocurrency mining software used to mine Monero (XMR) and other cryptocurrencies that use the RandomX or Cryptonight algorithms.

XMRig’s ease of use has made it a popular tool among malicious actors for cryptojacking – secretly mining cryptocurrency on compromised devices without the owner's knowledge or consent.