A newly uncovered cyberattack—one of the most sophisticated developer-focused campaigns seen in recent years—is weaponizing the daily workflow of software engineers. 

Security companies have revealed a malicious operation in which attackers insert stealthy malware into seemingly harmless extensions and open-source tools used by tens of thousands of developers worldwide. 

These extensions appear completely legitimate, yet silently exfiltrate highly sensitive data such as passwords, Wi-Fi access credentials, authentication tokens, clipboard contents, and even live screenshots taken directly from developers’ machines.

Compromised VS Code Extensions: “Bitcoin Black” and “Codo AI”

Two Visual Studio Code extensions were confirmed to contain embedded malicious components: the Bitcoin Black theme and an AI assistant tool called Codo AI. Both extensions looked fully legitimate on the marketplace and performed their advertised functions, which helped them evade suspicion and achieve wide adoption.

Once installed, the extensions deployed an additional malicious payload that continuously harvested data from infected devices. The threat actors were not content with collecting passwords alone. The malware captured real-time screenshots of developers’ screens—revealing source code, Slack discussions, credentials, internal documentation, and confidential project directories.

This level of visibility allows attackers to map entire workflows, understand sensitive architectures, and target organizations with precision.

The Attack Technique: DLL Hijacking as a Delivery Vehicle

The operation relied on an advanced method known as DLL hijacking, which abuses the way legitimate software loads system libraries.

The attackers downloaded a real, benign screenshot tool (Lightshot) onto the victim’s machine, pairing it with a malicious DLL that carried the same filename as the tool’s expected library. When Lightshot launched, it automatically loaded the attacker’s counterfeit DLL. This triggered the malware’s execution without raising suspicion.

Security researchers found that the malware collected:

• Continuous screenshots and clipboard data

• Wi-Fi passwords and saved wireless credentials

• Browser cookies, authentication tokens, and active sessions (via Chrome and Edge in headless mode)

• Information about installed software, running processes, and development tools

Koi Security reports that the attackers have been iterating and improving the operation, increasingly using “clean” and innocuous-looking scripts to blend in with normal developer activity.

The Campaign Is Spreading Beyond VS Code

While the first findings emerged in VS Code, similar malicious injections are now appearing across the broader open-source ecosystem:

• npm and Go: Malware packages imitating the names of popular, trusted libraries

• Rust: A library called finch-rust masqueraded as a scientific computation tool, but instead loaded an additional malware component called sha-rust

This reflects a direct attack on the software supply chain—the trust mechanism developers rely on when importing packages, extensions, or dependencies. By compromising tools that sit at the heart of software development, attackers gain privileged access to entire organizations.

Why This Threat Is So Dangerous

A single developer installing one benign-looking extension can unknowingly trigger a breach across the entire company:

• Theft of core, proprietary source code

• Takeover of GitHub and other cloud development accounts

• Infection of CI/CD pipelines and build environments

• Exposure of sensitive customer data, credentials, and internal architecture

Because development environments are privileged by design—holding secrets, tokens, SSH keys, and code—the blast radius of compromise is enormous.

Traditional static code scanning is insufficient for detecting these attacks. The extensions themselves often appear legitimate or include harmless code alongside hidden payloads. What is required is real-time behavioral monitoringcapable of flagging anomalous actions—such as a theme extension attempting to access stored passwords.

Recommended Security Measures for Developers and Organizations

To reduce exposure, cybersecurity firms recommend the following defensive steps:

1. Enable multi-factor authentication on all development accounts, including GitHub, GitLab, cloud providers, and CI/CD tools.

2. Verify the identity and reputation of extension publishers before installation.

3. Avoid anonymous, poorly reviewed, or unknown plugins—even if they appear harmless.

4. Adopt security tools that include behavioral detection, not only static scanning.

5. Treat all AI-powered development tools with caution, especially those requesting elevated system permissions.

6. Conduct regular audits of development environments, including browser sessions, secrets, stored tokens, and installed extensions.

This attack marks a turning point in developer-focused cybercrime. 

By targeting the very tools that developers rely on daily, attackers gain unprecedented access to the global software ecosystem. The findings underscore the urgent need for stronger supply-chain security, rigorous extension vetting, and behavioral monitoring to defend the world’s most sensitive development workflows.