Paris Times

Liberté, Égalité, Fraternité
Thursday, Dec 11, 2025
Paris Times
Skip music »

Hackers Are Hiding Malware in Open-Source Tools and IDE Extensions

The common belief that “open source is safe because everyone can inspect the code” is misleading. In reality, most open-source projects include add-ons and components that are not open source at all — and these hidden parts can easily contain spyware, malware, and viruses. Once installed, they can take over both the user’s computer and the servers running the so-called open-source code, giving hackers full control to do whatever they want.

A newly uncovered cyberattack—one of the most sophisticated developer-focused campaigns seen in recent years—is weaponizing the daily workflow of software engineers. 

Security companies have revealed a malicious operation in which attackers insert stealthy malware into seemingly harmless extensions and open-source tools used by tens of thousands of developers worldwide. 

These extensions appear completely legitimate, yet silently exfiltrate highly sensitive data such as passwords, Wi-Fi access credentials, authentication tokens, clipboard contents, and even live screenshots taken directly from developers’ machines.


Compromised VS Code Extensions: “Bitcoin Black” and “Codo AI”

Two Visual Studio Code extensions were confirmed to contain embedded malicious components: the Bitcoin Black theme and an AI assistant tool called Codo AI. Both extensions looked fully legitimate on the marketplace and performed their advertised functions, which helped them evade suspicion and achieve wide adoption.

Once installed, the extensions deployed an additional malicious payload that continuously harvested data from infected devices. The threat actors were not content with collecting passwords alone. The malware captured real-time screenshots of developers’ screens—revealing source code, Slack discussions, credentials, internal documentation, and confidential project directories.

This level of visibility allows attackers to map entire workflows, understand sensitive architectures, and target organizations with precision.


The Attack Technique: DLL Hijacking as a Delivery Vehicle

The operation relied on an advanced method known as DLL hijacking, which abuses the way legitimate software loads system libraries.

The attackers downloaded a real, benign screenshot tool (Lightshot) onto the victim’s machine, pairing it with a malicious DLL that carried the same filename as the tool’s expected library. When Lightshot launched, it automatically loaded the attacker’s counterfeit DLL. This triggered the malware’s execution without raising suspicion.

Security researchers found that the malware collected:

  • Continuous screenshots and clipboard data

  • Wi-Fi passwords and saved wireless credentials

  • Browser cookies, authentication tokens, and active sessions (via Chrome and Edge in headless mode)

  • Information about installed software, running processes, and development tools

Koi Security reports that the attackers have been iterating and improving the operation, increasingly using “clean” and innocuous-looking scripts to blend in with normal developer activity.


The Campaign Is Spreading Beyond VS Code

While the first findings emerged in VS Code, similar malicious injections are now appearing across the broader open-source ecosystem:

  • npm and Go: Malware packages imitating the names of popular, trusted libraries

  • Rust: A library called finch-rust masqueraded as a scientific computation tool, but instead loaded an additional malware component called sha-rust

This reflects a direct attack on the software supply chain—the trust mechanism developers rely on when importing packages, extensions, or dependencies. By compromising tools that sit at the heart of software development, attackers gain privileged access to entire organizations.


Why This Threat Is So Dangerous

A single developer installing one benign-looking extension can unknowingly trigger a breach across the entire company:

  • Theft of core, proprietary source code

  • Takeover of GitHub and other cloud development accounts

  • Infection of CI/CD pipelines and build environments

  • Exposure of sensitive customer data, credentials, and internal architecture

Because development environments are privileged by design—holding secrets, tokens, SSH keys, and code—the blast radius of compromise is enormous.

Traditional static code scanning is insufficient for detecting these attacks. The extensions themselves often appear legitimate or include harmless code alongside hidden payloads. What is required is real-time behavioral monitoringcapable of flagging anomalous actions—such as a theme extension attempting to access stored passwords.


Recommended Security Measures for Developers and Organizations

To reduce exposure, cybersecurity firms recommend the following defensive steps:

  1. Enable multi-factor authentication on all development accounts, including GitHub, GitLab, cloud providers, and CI/CD tools.

  2. Verify the identity and reputation of extension publishers before installation.

  3. Avoid anonymous, poorly reviewed, or unknown plugins—even if they appear harmless.

  4. Adopt security tools that include behavioral detection, not only static scanning.

  5. Treat all AI-powered development tools with caution, especially those requesting elevated system permissions.

  6. Conduct regular audits of development environments, including browser sessions, secrets, stored tokens, and installed extensions.


This attack marks a turning point in developer-focused cybercrime. 

By targeting the very tools that developers rely on daily, attackers gain unprecedented access to the global software ecosystem. The findings underscore the urgent need for stronger supply-chain security, rigorous extension vetting, and behavioral monitoring to defend the world’s most sensitive development workflows.

Newsletter
Related Articles

In Poland, a journalist’s conversation with a senator suddenly turned into a scandal: “Please do not touch me.”

The confrontation broke out in the corridors of the Polish Sejm during a discussion about ending the war in Ukraine and Poland’s alleged absence from the negotiation table.

BULGARIA RISES: Bulgaria has reached a breaking point. What began as frustration over corruption and economic decline has exploded into one of the largest public uprisings in the democratic era

Sofia’s city center is now completely overrun by crowds so vast that drone cameras “cannot see the end of the crowd,” according to on-scene footage.

President Trump's administration wants the ICC to amend its founding document to ensure it does not investigate the Republican president and his top officials, threatening new US sanctions on the court if it did not

Larry Fink CEO of Blackrock - the largest wealth management company in the world says “the digitalisation of all and financial assets will be stored in digital wallets - it will happen worldwide and it will happen very rapidly”

Von der Leyen Unveils EU–India Talent Office, for secondary (Legal) Migration Routes

Ursula von der Leyen says that to prevent illegal border crossings, "we must open more safe and legal pathways to Europe," and announces, as part of the new "talent partnerships...

Traveling to USA? Homeland Security moving toward requiring foreign travelers to share social media history

Soon you may be required to present five years of social-media history, phone numbers and email addresses, the names of family members, and additional details. Various countries...

Major investigations are needed to uncover the fraud committed by elected officials and the constituents who protect them

Ilhan Omar: "The U.S. government will only do what Somalians in the U.S. tell them to do. They will do what we want and nothing else. They must follow our orders."

Why is Washington fixated on threats overseas while open acts of betrayal are being declared—live and unashamed—by its own elected officials?

Portugal’s narcotics police chief: “Europe is simply being flooded with cocaine” — criminal organizations are buying it from South America

Semi-submersible vessel seized mid-Atlantic in international operation targeting cocaine trafficking to Iberia and beyond

For the third time in a row: The Fed has lowered interest rates in the United States.

The Federal Reserve announced a quarter-percentage-point rate cut, from 4% to 3.75%, in one of the most complex decisions it has had to make in recent years. Many analysts expec...

TRUMP JR JUST DROPPED THE TRUTH NO ONE WANTED SPOKEN

When Donald Trump Jr. tells a room that half the supercars in Monaco carry Ukrainian plates—he isn’t making an observation.
Playlist Hide
0:00
0:00
Open
0:00
0:00
Close
Hackers Are Hiding Malware in Open-Source Tools and IDE Extensions
Traveling to USA? Homeland Security moving toward requiring foreign travelers to share social media history
Trump in Direct Assault: European Leaders Are Weak, Immigration a Disaster. Russia Is Strong and Big — and Will Win
Drugs and Assassinations: The Connection Between the Italian Mafia and Football Ultras
The Disregard for a Europe ‘in Danger of Erasure,’ the Shift Toward Russia: Trump’s Strategic Policy Document
India backs down on plan to mandate government “Sanchar Saathi” app on all smartphones
Macron Says Washington Pressuring EU to Delay Enforcement of Digital-Regulation Probes Against Meta, TikTok and X
Moroccan Court Upholds 18-Month Sentence for Frenchman Who Bought Ferrari with Bitcoin
EU Firms Struggle with 3,000-Hour Paperwork Load — While Automakers Fear De Facto 2030 Petrol Car Ban
The Ukrainian Sumo Wrestler Who Escaped the War — and Is Captivating Japan
Car Parts Leader Warns Europe Faces Heavy Job Losses in ‘Darwinian’ Auto Shake-Out
Families Accuse OpenAI of Enabling ‘AI-Driven Delusions’ After Multiple Suicides
U.S. Envoys Deliver Ultimatum to Ukraine: Sign Peace Deal by Thursday or Risk Losing American Support
Zelenskyy Signals Progress Toward Ending the War: ‘One of the Hardest Moments in History’ (end of his business model?)
The U.S. State Department Announces That Mass Migration Constitutes an Existential Threat to Western Civilization and Undermines the Stability of Key American Allies
A Decade of Innovation Stagnation at Apple: The Cook Era Critique
President Donald Trump Hosts Saudi Crown Prince Mohammed bin Salman at White House to Seal Major Defence and Investment Deals
AI Researchers Claim Human-Level General Intelligence Is Already Here
Tragedy in Serbia: Coach Mladen Žižović Collapses During Match and Dies at 44
Trump–Putin Budapest Summit Cancelled After Moscow Memo Raises Conditions for Ukraine Talks
Russia’s President Putin Declares Burevestnik Nuclear Cruise Missile Ready for Deployment
Francis Ford Coppola Auctions Luxury Watches After Self-Financed Film Flop
Convicted Sex Offender Mistakenly Freed by UK Prison Service Arrested in London
Swift Heist at the Louvre Sees Eight French Crown Jewels Stolen in Under Seven Minutes
‘Frightening’ First Night in Prison for Sarkozy: Inmates Riot and Shout ‘Little Nicolas’
White House Announces No Imminent Summit Between Trump and Putin
China Presses Netherlands to “properly” Resolve the Nexperia Seizure as Supply Chain Risks Grow
US and Qatar Warn EU of Trade and Energy Risks from Tough Climate Regulation
Merz Attacks Migrants, Sparks Uproar, and Refuses to Apologize: “Ask Your Daughters”
Apple Challenges EU Digital Markets Act Crackdown in Landmark Court Battle
Nicolas Sarkozy begins five-year prison term at La Santé in Paris
This Is How the 'Heist of the Century' Was Carried Out at the Louvre in Seven Minutes: France Humiliated as Crown with 2,000 Diamonds Vanishes
France’s Wealthy Shift Billions to Luxembourg and Switzerland Amid Tax and Political Turmoil
S&P Downgrades France’s Credit Rating, Citing Soaring Debt and Political Instability
"The Tsunami Is Coming, and It’s Massive": The World’s Richest Man Unveils a New AI Vision
Dramatic Development in the Death of 'Mango' Founder: Billionaire's Son Suspected of Murder
Two Years of Darkness: The Harrowing Testimonies of Israeli Hostages Emerging From Gaza Captivity
EU Moves to Use Frozen Russian Assets to Buy U.S. Weapons for Ukraine
Europe Emerges as the Biggest Casualty in U.S.-China Rare Earth Rivalry
French Business Leaders Decry Budget as Macron’s Pro-Enterprise Promise Undermined
“Firepower” Promised for Ukraine as NATO Ministers Meet — But U.S. Tomahawks Remain Undecided
Brands Confront New Dilemma as Extremists Adopt Fashion Labels
The Sydney Sweeney and Jeans Storm: “The Outcome Surpassed Our Wildest Dreams”
French PM Suspends Macron’s Pension Reform Until After 2027 in Bid to Stabilize Government
Orange, Bouygues and Free Make €17 Billion Bid for Drahi’s Altice France Telecom Assets
AI and Cybersecurity at Forefront as GITEX Global 2025 Kicks Off in Dubai
Ex-Microsoft Engineer Confirms Famous Windows XP Key Was Leaked Corporate License, Not a Hack
China’s lesson for the US: it takes more than chips to win the AI race
French Political Turmoil Elevates Marine Le Pen as Rassemblement National Poised for Power
The Davos Set in Decline: Why the World Economic Forum’s Power Must Be Challenged
×