- The researchers found 24 malicious extensions on Visual Studio Marketplace and Open VSX Registry Deployment of Lumma Stealer and other malicious software
- The attack targeted cryptocurrency holders and developers, with rapid compromise extensions replaced after removal
- Open Source extension platforms remain attractive targets due to their popularity and ease of distribution of malicious software
Cybercriminals once again targeting cryptocurrency holders and developers, making infostal smuggling in open source code standards.
Last week, Bleeping Compompute said the researchers had discovered two dozen malicious extensions on the Visual Studio market and the Open VSX register.
The Visual Studio Marketplace and the Registry Open VSX are both platforms for the distribution of extensions, the first being belonging to Microsoft and used in the visual code Studio and Visual Studio, while the second is a VS code editor like the editors of Eclipse Theia, Gitpod, SAP Business Studio and others.
Whitecobra targeting software developers
The attack was spotted by Koi cybersecurity researchers, as well as one of the victims – a highly qualified and experienced Zak Cole publisher.
The researchers determined that there were at least 24 malicious extensions on the platforms, and those withdrawn were quickly replaced by news. Extensions, when installed on a Windows device, would deploy the thief Lumma to compromise computers.
Lumma is a known infosteator who is able to enter passwords and payment information stored in the browser, exfiltrating sensitive files, session cookies and cryptocurrency portfolio information.
On Macs, the payload is in the form of a binary machine that runs locally and loads an unknown malicious piece.
The researchers call the threat actor Whitecobra.
Open source software standards are popular targets for cybercriminals, because they allow a distribution of malware in several ways, especially on popular platforms such as Visual Studio Marketplace and the VSX open register. The first, for example, is extremely popular among the developers using Visual Studio and VS Code, because it hosts more than 48,000 extensions which are closely integrated into Microsoft products.
The Open VSX register, on the other hand, is gaining momentum, in particular in open-source and business environments that use compatible publishers by code such as Eclipse Theia, Gitpod and SAP Business Application Studio. It welcomes nearly 3,000 extensions of more than 1,500 publishers, with more than two million monthly downloads.
Via Bleeping Compompute
