Developers were the targets of two new malicious Microsoft Visual Studio Code (VS Code) extensions created by a threat actor that security researchers believe is experimenting with methods for delivering information-stealing malware to the victims’ systems.

The malicious extensions come posing as a harmless “premium dark theme” and an AI-powered coding assistant, but both – through different methods – end up deploying an infostealer, according to Idan Dardikman, co-founder and CTO of cybersecurity startup Koi Security.

In a report this week, Dardikman wrote that both extensions – Bitcoin Black and Codo AI – are among the dozens of malicious VS Code extensions detected by Koi, with most leading to credentials being stolen or cryptocurrency being mined.

“But this malware goes further,” he wrote. “It captures your screen and sends it to the attacker. Your code. Your emails. Your Slack DMs. Whatever’s on your screen, they’re seeing it too. And that’s just the start. It also steals your WiFi passwords, reads your clipboard, and hijacks your browser sessions. All delivered through two extensions – a color theme and an AI coding assistant. Both from the same publisher.”

Both Drop Same Infostealer

Dardikman added that “this is the story of a threat actor experimenting with different social engineering lures to compromise developers, iterating on their delivery mechanisms across versions, and deploying a very capable infostealer.”

Both extensions have been removed from the Microsoft Visual Studio Code Marketplace, with Bitcoin Black (BigBlack.bitcoin-black) being yanked December 5 and Codo AI (BigBlack.codo-ai) December 8. Another malicious extension with the same naming pattern – BigBlack.mrbigblacktheme – and written by the same publisher also was removed December 8.

Developers as Targets

The campaign uncovered by Koi researchers is another example in the growing trend of bad actors targeting developers and code repositories like GitHub, npm, and crates.io.

In a blog post earlier this year, SentinelOne security researchers said such code management platforms are key to modern software development and continuous integration-continuous development (CI/CD). However, they’re also attractive targets for hackers for staging cyberattacks and stealing sensitive information.

“The compromise of open-source software projects is becoming more prevalent, with threat actors targeting libraries distributed via package managers and public repositories like PyPI, crates.io, and GitHub,” the researchers wrote. “After infiltrating these trusted resources, threat actors can inject vulnerabilities into widely-used software, potentially compromising the security of many more associated applications and systems.”

Attackers also are exploiting legitimate internet services and platforms, they wrote, noting that GitLab and BitBucket, which are used for source code management and version control, “have also suffered from bugs leading to opportunities for threat actors to gain access to sensitive data, propagate malware, and orchestrate various forms of cybercrime.”

Seemingly Legitimate Tools

In the case of the malicious extensions, Koi’s Dardikman said that Bitcoin Black marketed itself as a “premium dark theme inspired by Bitcoin with sleek black backgrounds and vibrant orange/gold accents.”

While sounding harmless, it’s not just a theme, he wrote.

“Legitimate VS Code themes are JSON files,” Dardikman wrote. “They define colors. That’s it. They don’t need activation events, they don’t need a main entry point, and they certainly don’t need to execute PowerShell scripts. Bitcoin Black has all of the above – including a “*” activation event, meaning it runs on every VS Code action. For a color theme, this alone should raise eyebrows.”

With Codo AI, the bad actors changed tactics. It works as an AI coding assistant through VS Code with OpenAI’s ChatGPT or DeepSeek’s AI models. Because of its functionality, it’s more difficult to detect as malicious.

“But buried in the code, right before the legitimate AI chat implementation … the attacker left comments marking the malicious section of their own code,” he wrote. “This tells us something about their workflow – they’re actively maintaining this codebase and wanted to make sure they (or collaborators) didn’t accidentally remove the payload delivery mechanism during updates.”

DLL Hijacking Used

Despite the differences in the extensions, both deliver the same legitimate Lightshot tool for screenshots, but bundled with a malicious DLL in a DLL hijacking scheme.

“By placing a malicious DLL alongside a legitimate, signed executable, the attacker gains several advantages: the executable passes signature verification, security tools may whitelist the known-good binary, and the process tree looks completely normal,” Dardikman wrote. “When the legitimate Lightshot.exe launches, it loads the attacker’s DLL, which executes the infostealer payload.”

He added that the “attacker is clearly experimenting with different social engineering approaches,” noting that Bitcoin Black is targeting developers with an interest in cryptocurrency, which likely means crypto wallets and valuable credentials that can be exfiltrated. Meanwhile, Codo AI eyes developers who want to boost productivity. It’s a broader audience, and AI features can provide cover for the malicious behavior.

“This campaign has its rough edges,” he wrote. “The attacker left comments in their code, used a memorable mutex [mutual exclusion] name, and their C2 [command-and-control] domain looks like someone mashed their keyboard. But the use of DLL hijacking with a legitimate signed binary shows real tradecraft. Sophistication is uneven, but the techniques that matter are solid.”