Rabat Times

Moroccan Voices. Global Perspective.
Rooted in Tradition
Tuned to Tomorrow.
Skip music »

Hackers Are Hiding Malware in Open-Source Tools and IDE Extensions

The common belief that “open source is safe because everyone can inspect the code” is misleading. In reality, most open-source projects include add-ons and components that are not open source at all — and these hidden parts can easily contain spyware, malware, and viruses. Once installed, they can take over both the user’s computer and the servers running the so-called open-source code, giving hackers full control to do whatever they want.

A newly uncovered cyberattack—one of the most sophisticated developer-focused campaigns seen in recent years—is weaponizing the daily workflow of software engineers. 

Security companies have revealed a malicious operation in which attackers insert stealthy malware into seemingly harmless extensions and open-source tools used by tens of thousands of developers worldwide. 

These extensions appear completely legitimate, yet silently exfiltrate highly sensitive data such as passwords, Wi-Fi access credentials, authentication tokens, clipboard contents, and even live screenshots taken directly from developers’ machines.


Compromised VS Code Extensions: “Bitcoin Black” and “Codo AI”

Two Visual Studio Code extensions were confirmed to contain embedded malicious components: the Bitcoin Black theme and an AI assistant tool called Codo AI. Both extensions looked fully legitimate on the marketplace and performed their advertised functions, which helped them evade suspicion and achieve wide adoption.

Once installed, the extensions deployed an additional malicious payload that continuously harvested data from infected devices. The threat actors were not content with collecting passwords alone. The malware captured real-time screenshots of developers’ screens—revealing source code, Slack discussions, credentials, internal documentation, and confidential project directories.

This level of visibility allows attackers to map entire workflows, understand sensitive architectures, and target organizations with precision.


The Attack Technique: DLL Hijacking as a Delivery Vehicle

The operation relied on an advanced method known as DLL hijacking, which abuses the way legitimate software loads system libraries.

The attackers downloaded a real, benign screenshot tool (Lightshot) onto the victim’s machine, pairing it with a malicious DLL that carried the same filename as the tool’s expected library. When Lightshot launched, it automatically loaded the attacker’s counterfeit DLL. This triggered the malware’s execution without raising suspicion.

Security researchers found that the malware collected:

  • Continuous screenshots and clipboard data

  • Wi-Fi passwords and saved wireless credentials

  • Browser cookies, authentication tokens, and active sessions (via Chrome and Edge in headless mode)

  • Information about installed software, running processes, and development tools

Koi Security reports that the attackers have been iterating and improving the operation, increasingly using “clean” and innocuous-looking scripts to blend in with normal developer activity.


The Campaign Is Spreading Beyond VS Code

While the first findings emerged in VS Code, similar malicious injections are now appearing across the broader open-source ecosystem:

  • npm and Go: Malware packages imitating the names of popular, trusted libraries

  • Rust: A library called finch-rust masqueraded as a scientific computation tool, but instead loaded an additional malware component called sha-rust

This reflects a direct attack on the software supply chain—the trust mechanism developers rely on when importing packages, extensions, or dependencies. By compromising tools that sit at the heart of software development, attackers gain privileged access to entire organizations.


Why This Threat Is So Dangerous

A single developer installing one benign-looking extension can unknowingly trigger a breach across the entire company:

  • Theft of core, proprietary source code

  • Takeover of GitHub and other cloud development accounts

  • Infection of CI/CD pipelines and build environments

  • Exposure of sensitive customer data, credentials, and internal architecture

Because development environments are privileged by design—holding secrets, tokens, SSH keys, and code—the blast radius of compromise is enormous.

Traditional static code scanning is insufficient for detecting these attacks. The extensions themselves often appear legitimate or include harmless code alongside hidden payloads. What is required is real-time behavioral monitoringcapable of flagging anomalous actions—such as a theme extension attempting to access stored passwords.


Recommended Security Measures for Developers and Organizations

To reduce exposure, cybersecurity firms recommend the following defensive steps:

  1. Enable multi-factor authentication on all development accounts, including GitHub, GitLab, cloud providers, and CI/CD tools.

  2. Verify the identity and reputation of extension publishers before installation.

  3. Avoid anonymous, poorly reviewed, or unknown plugins—even if they appear harmless.

  4. Adopt security tools that include behavioral detection, not only static scanning.

  5. Treat all AI-powered development tools with caution, especially those requesting elevated system permissions.

  6. Conduct regular audits of development environments, including browser sessions, secrets, stored tokens, and installed extensions.


This attack marks a turning point in developer-focused cybercrime. 

By targeting the very tools that developers rely on daily, attackers gain unprecedented access to the global software ecosystem. The findings underscore the urgent need for stronger supply-chain security, rigorous extension vetting, and behavioral monitoring to defend the world’s most sensitive development workflows.

AI Disclaimer: An advanced artificial intelligence (AI) system generated the content of this page on its own. This innovative technology conducts extensive research from a variety of reliable sources, performs rigorous fact-checking and verification, cleans up and balances biased or manipulated content, and presents a minimal factual summary that is just enough yet essential for you to function as an informed and educated citizen. Please keep in mind, however, that this system is an evolving technology, and as a result, the article may contain accidental inaccuracies or errors. We urge you to help us improve our site by reporting any inaccuracies you find using the "Contact Us" link at the bottom of this page. Your helpful feedback helps us improve our system and deliver more precise content. When you find an article of interest here, please look for the full and extensive coverage of this topic in traditional news sources, as they are written by professional journalists that we try to support, not replace. We appreciate your understanding and assistance.
Read more
Newsletter
Related Articles

Moroccan Court Upholds 18-Month Sentence for Frenchman Who Bought Ferrari with Bitcoin

Thomas Clausi convicted for illegal cryptocurrency-based car purchase as Morocco’s crypto ban remains in force

Airbus Orders Emergency Fix for Six Thousand A320 Jets After Solar-Radiation Control Fault

Urgent software and hardware repairs mandated worldwide after investigators link intense solar exposure to flight-control data failures

Shocking Case in France: Senior Official Suspected of Drugging 240 Women During Job Interviews

A former Culture Ministry executive is accused of drugging hundreds of female job applicants over nearly a decade using a potent diuretic.

Could AI Nursing Robots Help Healthcare Staffing Shortages?

Around the world, healthcare systems are being pushed to the breaking point by staffing shortfalls, especially among nurses.

U.S. Health Care Costs Continue to Climb

Employers shift higher insurance and drug costs to workers

Poland Dismisses Trump’s Suggestion on Drone Raid

Tusk says Russian incursion was intentional, NATO responds firmly

Supreme Court to Rule on Trump Tariffs

Justices to examine tariffs imposed without congressional approval

California Moves to Ban ICE Agents from Wearing Masks

Governor Newsom has one month to sign or veto measure

Paramount Skydance Eyes Warner Bros Discovery Acquisition

Ellison family-backed bid highlights consolidation in media industry

Trump to Meet Qatar’s Prime Minister in New York

Talks follow Israeli strike targeting Hamas leaders in Doha

Borderlands 4 Brings New Strategies

Players urged to master elements, Repkits, and movement mechanics
Playlist Hide
0:00
0:00
Open
0:00
0:00
Close
Hackers Are Hiding Malware in Open-Source Tools and IDE Extensions
Moroccan Court Upholds 18-Month Sentence for Frenchman Who Bought Ferrari with Bitcoin
Could AI Nursing Robots Help Healthcare Staffing Shortages?
FIFA Pressured to Rethink World Cup Calendar Due to Climate Change
China’s Central Bank Consults European Peers on Low-Rate Strategies
US Eases Chip Software Sales Restrictions to China
Trump Announces New Trade Agreement Between U.S. and Vietnam
South Korea Signals It May Miss Trump Trade Deal Deadline
Toyota Industries Faces Backlash Over $33 Billion Buyout Plan
AI Raises Alarms Over Long-Term Job Security
Air France-KLM Acquires Majority Stake in Scandinavian Airlines
US strikes Iran nuclear sites, Trump says
UK and EU Reach Agreement on Gibraltar's Schengen Integration
Israeli Finance Minister Imposes Banking Penalties on Palestinians
Trump's Policies Prompt Decline in Chinese Student Enrollment in U.S.
U.S. Inflation Rises to 2.4% in May Amid Trade Tensions
Global Oceans Near Record Temperatures as CO₂ Levels Climb
Trump Announces U.S.-China Trade Deal Covering Rare Earths
Smuggled U.S. Fuel Funds Mexican Cartels Amid Crackdown
Global News Roundup: From Ukraine's strategic military strikes and Russia's demands and Tensions Escalate in Ukraine, to serious legal issues faced by Britons in Bali and Trump's media criticism, the latest developments highlight a turbulent landscape
Majority of French Voters View Macron's Presidency as a Failure
Macron Lightheartedly Addresses Viral 'Shove' Incident in Indonesia
France Implements Nationwide Outdoor Smoking Ban to Protect Children
Foreign Tax Provision in U.S. Budget Bill Alarms Investors
Trump Accuses China of Violating Trade Agreement
U.S. Goods Imports Plunge Nearly 20% Amid Tariff Disruptions
Italy Faces Population Decline Amid Youth Emigration
Gerry Adams Wins Libel Case Against BBC
Russia Accuses Serbia of Supplying Arms to Ukraine
Alcohol Industry Faces Increased Scrutiny Amid Health Concerns
OpenAI Faces Competition from Cheaper AI Rivals
Morocco's Startup Ecosystem Rises in Global Rankings
OCP Group and Italy's SACE Sign €365 Million Green Financing Agreement
Innovative Farming Method Protects Bees and Boosts Income in Moroccan Oases
Catalonian Delegation Begins Economic Mission to Morocco
Morocco's Formula 1 Ambitions Accelerate with $1.2 Billion Tangier Project
Morocco Signs Agreements for Eight New Sustainable Industrial Projects
Morocco Unveils 2025–2027 Foreign Trade Roadmap
Morocco and Egypt Deepen Strategic Partnership with New Bilateral Frameworks
Kenya Opens First Embassy in Morocco, Signaling Strengthened Ties
European and Arab Ministers Convene in Madrid to Address Gaza Conflict
Head of Gaza Aid Group Resigns Amid Humanitarian Concerns
Moroccan Ambassador Criticizes Algeria's Role in Regional Destabilization
Kenya Endorses Morocco's Autonomy Plan for Western Sahara
Moroccan Political Parties Fail to Account for Over MAD 5 Million in Spending
El Salvador Considers Opening Consulate in Laayoune, Western Sahara
European Central Bank Pushes for Euro to Rival US Dollar Globally
UK Politicians Advocate for Recognition of Moroccan Sovereignty over Western Sahara
Syria Closes Polisario Offices in Damascus
Morocco Signs 7,500 International Agreements, Majority Under King Mohammed VI
×