A threat actor named WhiteCobra has infiltrated the Visual Studio Code marketplace and Open VSX registry with 24 malicious extensions targeting developers using VSCode, Cursor, and Windsurf editors .
Campaign overview
The ongoing campaign represents a sophisticated operation that researchers at Koi Security have been tracking for over a year. WhiteCobra is the same group responsible for a $500,000 cryptocurrency theft in July 2025, demonstrating their evolution from basic PowerShell miners to advanced crypto-stealing malware .
The campaign gained significant attention when Ethereum developer Zak Cole, a security professional with a decade of experience, had his wallet drained after installing what appeared to be a legitimate extension called “contractshark.solidity-lang” for the Cursor editor . The extension featured professional design elements, detailed descriptions, and showed 54,000 downloads on OpenVSX, highlighting the sophisticated deception techniques employed .
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: