A large-scale cryptojacking campaign has been discovered using malicious Visual Studio Code (VS Code) extensions. According to cybersecurity researchers at the startup ExtensionTotal, unknown attackers have published several harmful extensions in Microsoft’s popular code editor, aiming to secretly mine cryptocurrency on users’ devices.
Over 300,000 Installs in Just Days
In a detailed report, researchers revealed that at least nine malicious extensions were uploaded to the official VS Code Marketplace after April 4. These extensions were created by three different authors, with one name — “Mark H.” — being the most active.
Shockingly, these malicious extensions were downloaded more than 300,000 times within just three days. The most downloaded extension, titled “Discord Rich Presence,” alone gathered 189,000 installs.
ExtensionTotal co-founder Itay Kruk, a former product manager at Zscaler, explained that all nine extensions are fake and part of a coordinated cryptojacking campaign. These extensions act as the initial access point in a multi-stage attack that secretly installs cryptocurrency mining software.
“The extensions appear legitimate, but they’re actually tools for launching a hidden attack,” Kruk said.
Fake Extensions Used in the Attack
Here are the nine malicious extensions identified so far:
Discord Rich Presence for VS Code
Claude AI
Golang Compiler
Rust Compiler for VSCode
ChatGPT Agent for VSCode
HTML Obfuscator for VSCode
Python Obfuscator for VSCode
Rojo – Roblox Studio Sync (published by ‘evaera’ with 117,000 installs)
Solidity Compiler (published by ‘VSCode Developer’ with 1,300 installs)
Most of these were uploaded by “Mark H.” The high number of downloads in such a short time suggests that the attackers used bots or other methods to fake install counts. This tactic helps gain trust by making the extensions seem popular and widely used.
“These inflated numbers highlight a serious weakness in how users measure trust on the marketplace,” Kruk noted.
How the Cryptojacking Attack Works
Once installed, these extensions silently download a PowerShell script that performs several harmful actions:
Disables Windows Security Features
Sets Up Persistence using scheduled tasks
Downloads and Runs XMRig, a popular cryptomining tool
The malware connects to a remote command-and-control (C2) server, which was registered on the same day the campaign began — April 4. The C2 domain used is asdf11[.]xyz.
XMRig is a widely known, open-source tool that mines Monero (XMR) and other privacy-focused cryptocurrencies. It is often abused by attackers in cryptojacking attacks because it is easy to set up and works efficiently in the background without user consent.
Silent But Sophisticated
What makes this attack more dangerous is the level of deception used. The malicious extensions not only include harmful code but also install the real versions of the extensions they pretend to be, which helps avoid suspicion from users.
All nine extensions share the same core code, contact the same C2 server, and download identical malware, clearly pointing to a single coordinated operation.
“This is one of the most sophisticated campaigns we’ve seen in the VS Code ecosystem,” Kruk said.
Microsoft Yet to Respond
ExtensionTotal has reported the malicious extensions to Microsoft, but at the time of publishing, the tech giant had not released an official statement or taken action to remove them from the marketplace.
This incident raises serious concerns about the security of the VS Code extension ecosystem, which is widely used by millions of developers around the world. If attackers can easily publish malicious code in the marketplace and fake popularity metrics, it exposes users to hidden threats even when using trusted platforms.
Protecting Yourself from Malicious Extensions
Here are a few steps developers and organizations can take to stay safe:
Verify the author of any extension before installing
Check user reviews and community feedback
Monitor system performance for unusual CPU or GPU usage
Use endpoint protection tools to detect unauthorized mining activity
Regularly audit installed extensions and remove suspicious ones
Conclusion
The discovery of this large-scale cryptojacking campaign highlights a growing trend of supply chain attacks targeting developers. As VS Code becomes more popular, it also becomes a more attractive target for cybercriminals looking to exploit trusted environments for malicious gain.
This campaign demonstrates how simple tools like browser extensions or IDE plugins can be weaponized in sophisticated ways. Microsoft and other platform providers must act quickly to strengthen security checks, ensure better extension vetting, and prevent trust manipulation through fake install counts.
Until then, users must remain alert, take proactive steps to secure their development environments, and not trust popularity alone when it comes to software extensions.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : CVE-2025-22457, Ivanti Connect Secure Zero-Day and Chinese APT Group