Berlin Today

Be Informed, Be Inspired, Be Berlin
Thursday, Dec 11, 2025
 Deutsch
Skip music »

Hackers Are Hiding Malware in Open-Source Tools and IDE Extensions

The common belief that “open source is safe because everyone can inspect the code” is misleading. In reality, most open-source projects include add-ons and components that are not open source at all — and these hidden parts can easily contain spyware, malware, and viruses. Once installed, they can take over both the user’s computer and the servers running the so-called open-source code, giving hackers full control to do whatever they want.

A newly uncovered cyberattack—one of the most sophisticated developer-focused campaigns seen in recent years—is weaponizing the daily workflow of software engineers. 

Security companies have revealed a malicious operation in which attackers insert stealthy malware into seemingly harmless extensions and open-source tools used by tens of thousands of developers worldwide. 

These extensions appear completely legitimate, yet silently exfiltrate highly sensitive data such as passwords, Wi-Fi access credentials, authentication tokens, clipboard contents, and even live screenshots taken directly from developers’ machines.


Compromised VS Code Extensions: “Bitcoin Black” and “Codo AI”

Two Visual Studio Code extensions were confirmed to contain embedded malicious components: the Bitcoin Black theme and an AI assistant tool called Codo AI. Both extensions looked fully legitimate on the marketplace and performed their advertised functions, which helped them evade suspicion and achieve wide adoption.

Once installed, the extensions deployed an additional malicious payload that continuously harvested data from infected devices. The threat actors were not content with collecting passwords alone. The malware captured real-time screenshots of developers’ screens—revealing source code, Slack discussions, credentials, internal documentation, and confidential project directories.

This level of visibility allows attackers to map entire workflows, understand sensitive architectures, and target organizations with precision.


The Attack Technique: DLL Hijacking as a Delivery Vehicle

The operation relied on an advanced method known as DLL hijacking, which abuses the way legitimate software loads system libraries.

The attackers downloaded a real, benign screenshot tool (Lightshot) onto the victim’s machine, pairing it with a malicious DLL that carried the same filename as the tool’s expected library. When Lightshot launched, it automatically loaded the attacker’s counterfeit DLL. This triggered the malware’s execution without raising suspicion.

Security researchers found that the malware collected:

  • Continuous screenshots and clipboard data

  • Wi-Fi passwords and saved wireless credentials

  • Browser cookies, authentication tokens, and active sessions (via Chrome and Edge in headless mode)

  • Information about installed software, running processes, and development tools

Koi Security reports that the attackers have been iterating and improving the operation, increasingly using “clean” and innocuous-looking scripts to blend in with normal developer activity.


The Campaign Is Spreading Beyond VS Code

While the first findings emerged in VS Code, similar malicious injections are now appearing across the broader open-source ecosystem:

  • npm and Go: Malware packages imitating the names of popular, trusted libraries

  • Rust: A library called finch-rust masqueraded as a scientific computation tool, but instead loaded an additional malware component called sha-rust

This reflects a direct attack on the software supply chain—the trust mechanism developers rely on when importing packages, extensions, or dependencies. By compromising tools that sit at the heart of software development, attackers gain privileged access to entire organizations.


Why This Threat Is So Dangerous

A single developer installing one benign-looking extension can unknowingly trigger a breach across the entire company:

  • Theft of core, proprietary source code

  • Takeover of GitHub and other cloud development accounts

  • Infection of CI/CD pipelines and build environments

  • Exposure of sensitive customer data, credentials, and internal architecture

Because development environments are privileged by design—holding secrets, tokens, SSH keys, and code—the blast radius of compromise is enormous.

Traditional static code scanning is insufficient for detecting these attacks. The extensions themselves often appear legitimate or include harmless code alongside hidden payloads. What is required is real-time behavioral monitoringcapable of flagging anomalous actions—such as a theme extension attempting to access stored passwords.


Recommended Security Measures for Developers and Organizations

To reduce exposure, cybersecurity firms recommend the following defensive steps:

  1. Enable multi-factor authentication on all development accounts, including GitHub, GitLab, cloud providers, and CI/CD tools.

  2. Verify the identity and reputation of extension publishers before installation.

  3. Avoid anonymous, poorly reviewed, or unknown plugins—even if they appear harmless.

  4. Adopt security tools that include behavioral detection, not only static scanning.

  5. Treat all AI-powered development tools with caution, especially those requesting elevated system permissions.

  6. Conduct regular audits of development environments, including browser sessions, secrets, stored tokens, and installed extensions.


This attack marks a turning point in developer-focused cybercrime. 

By targeting the very tools that developers rely on daily, attackers gain unprecedented access to the global software ecosystem. The findings underscore the urgent need for stronger supply-chain security, rigorous extension vetting, and behavioral monitoring to defend the world’s most sensitive development workflows.

Translation:
Hacker verstecken Malware in Open-Source-Tools und IDE-Erweiterungen. (German)
Translated by AI
AI Disclaimer: An advanced artificial intelligence (AI) system generated the content of this page on its own. This innovative technology conducts extensive research from a variety of reliable sources, performs rigorous fact-checking and verification, cleans up and balances biased or manipulated content, and presents a minimal factual summary that is just enough yet essential for you to function as an informed and educated citizen. Please keep in mind, however, that this system is an evolving technology, and as a result, the article may contain accidental inaccuracies or errors. We urge you to help us improve our site by reporting any inaccuracies you find using the "Contact Us" link at the bottom of this page. Your helpful feedback helps us improve our system and deliver more precise content. When you find an article of interest here, please look for the full and extensive coverage of this topic in traditional news sources, as they are written by professional journalists that we try to support, not replace. We appreciate your understanding and assistance.
Read more
Newsletter
Related Articles

In Poland, a journalist’s conversation with a senator suddenly turned into a scandal: “Please do not touch me.”

The confrontation broke out in the corridors of the Polish Sejm during a discussion about ending the war in Ukraine and Poland’s alleged absence from the negotiation table.

BULGARIA RISES: Bulgaria has reached a breaking point. What began as frustration over corruption and economic decline has exploded into one of the largest public uprisings in the democratic era

Sofia’s city center is now completely overrun by crowds so vast that drone cameras “cannot see the end of the crowd,” according to on-scene footage.

President Trump's administration wants the ICC to amend its founding document to ensure it does not investigate the Republican president and his top officials, threatening new US sanctions on the court if it did not

Larry Fink CEO of Blackrock - the largest wealth management company in the world says “the digitalisation of all and financial assets will be stored in digital wallets - it will happen worldwide and it will happen very rapidly”

Von der Leyen Unveils EU–India Talent Office, for secondary (Legal) Migration Routes

Ursula von der Leyen says that to prevent illegal border crossings, "we must open more safe and legal pathways to Europe," and announces, as part of the new "talent partnerships...

Traveling to USA? Homeland Security moving toward requiring foreign travelers to share social media history

Soon you may be required to present five years of social-media history, phone numbers and email addresses, the names of family members, and additional details. Various countries...

Major investigations are needed to uncover the fraud committed by elected officials and the constituents who protect them

Ilhan Omar: "The U.S. government will only do what Somalians in the U.S. tell them to do. They will do what we want and nothing else. They must follow our orders."

Why is Washington fixated on threats overseas while open acts of betrayal are being declared—live and unashamed—by its own elected officials?

Portugal’s narcotics police chief: “Europe is simply being flooded with cocaine” — criminal organizations are buying it from South America

Semi-submersible vessel seized mid-Atlantic in international operation targeting cocaine trafficking to Iberia and beyond

For the third time in a row: The Fed has lowered interest rates in the United States.

The Federal Reserve announced a quarter-percentage-point rate cut, from 4% to 3.75%, in one of the most complex decisions it has had to make in recent years. Many analysts expec...

TRUMP JR JUST DROPPED THE TRUTH NO ONE WANTED SPOKEN

When Donald Trump Jr. tells a room that half the supercars in Monaco carry Ukrainian plates—he isn’t making an observation.
Playlist Hide
0:00
0:00
Open
0:00
0:00
Close
Hackers Are Hiding Malware in Open-Source Tools and IDE Extensions
Traveling to USA? Homeland Security moving toward requiring foreign travelers to share social media history
Trump in Direct Assault: European Leaders Are Weak, Immigration a Disaster. Russia Is Strong and Big — and Will Win
Drugs and Assassinations: The Connection Between the Italian Mafia and Football Ultras
The Disregard for a Europe ‘in Danger of Erasure,’ the Shift Toward Russia: Trump’s Strategic Policy Document
Top Consultancies Freeze Starting Salaries as AI Threatens ‘Pyramid’ Model
EU Firms Struggle with 3,000-Hour Paperwork Load — While Automakers Fear De Facto 2030 Petrol Car Ban
European States Approve First-ever Military-Grade Surveillance Network via ESA
The Ukrainian Sumo Wrestler Who Escaped the War — and Is Captivating Japan
Car Parts Leader Warns Europe Faces Heavy Job Losses in ‘Darwinian’ Auto Shake-Out
Arsenal Move Six Points Clear After Eze’s Historic Hat-Trick in Derby Rout
Families Accuse OpenAI of Enabling ‘AI-Driven Delusions’ After Multiple Suicides
U.S. Envoys Deliver Ultimatum to Ukraine: Sign Peace Deal by Thursday or Risk Losing American Support
Zelenskyy Signals Progress Toward Ending the War: ‘One of the Hardest Moments in History’ (end of his business model?)
The U.S. State Department Announces That Mass Migration Constitutes an Existential Threat to Western Civilization and Undermines the Stability of Key American Allies
AI Researchers Claim Human-Level General Intelligence Is Already Here
Tragedy in Serbia: Coach Mladen Žižović Collapses During Match and Dies at 44
BYD Profit Falls 33 % as Chinese EV Maker Doubles Down on Overseas Markets
Trump–Putin Budapest Summit Cancelled After Moscow Memo Raises Conditions for Ukraine Talks
Russia’s President Putin Declares Burevestnik Nuclear Cruise Missile Ready for Deployment
Porsche Reverses EV Strategy as New CEO Bets on Petrol and Hybrids
US Administration Under President Donald Trump Reportedly Lifts Ban on Ukraine’s Use of Storm Shadow Missiles Against Russia
‘Frightening’ First Night in Prison for Sarkozy: Inmates Riot and Shout ‘Little Nicolas’
White House Announces No Imminent Summit Between Trump and Putin
China Presses Netherlands to “properly” Resolve the Nexperia Seizure as Supply Chain Risks Grow
US and Qatar Warn EU of Trade and Energy Risks from Tough Climate Regulation
Merz Attacks Migrants, Sparks Uproar, and Refuses to Apologize: “Ask Your Daughters”
Apple Challenges EU Digital Markets Act Crackdown in Landmark Court Battle
This Is How the 'Heist of the Century' Was Carried Out at the Louvre in Seven Minutes: France Humiliated as Crown with 2,000 Diamonds Vanishes
S&P Downgrades France’s Credit Rating, Citing Soaring Debt and Political Instability
"The Tsunami Is Coming, and It’s Massive": The World’s Richest Man Unveils a New AI Vision
Two Years of Darkness: The Harrowing Testimonies of Israeli Hostages Emerging From Gaza Captivity
EU Moves to Use Frozen Russian Assets to Buy U.S. Weapons for Ukraine
Europe Emerges as the Biggest Casualty in U.S.-China Rare Earth Rivalry
Australia’s Wedgetail Spies Aid NATO Response as Russian MiGs Breach Estonian Airspace
“Firepower” Promised for Ukraine as NATO Ministers Meet — But U.S. Tomahawks Remain Undecided
Brands Confront New Dilemma as Extremists Adopt Fashion Labels
Dutch Government Seizes Chipmaker After U.S. Presses for Removal of Chinese CEO
AI and Cybersecurity at Forefront as GITEX Global 2025 Kicks Off in Dubai
Ex-Microsoft Engineer Confirms Famous Windows XP Key Was Leaked Corporate License, Not a Hack
The Davos Set in Decline: Why the World Economic Forum’s Power Must Be Challenged
France: Less Than a Month After His Appointment, the New French Prime Minister Resigns
Hungarian Prime Minister Viktor Orbán stated that Hungary will not adopt the euro because the European Union is falling apart.
Mayor in western Germany in intensive care after stabbing
Australian government pays Deloitte nearly half a million dollars for a report built on fabricated quotes, fake citations, and AI-generated nonsense.
BYD’s UK Sales Soar Nearly Nine-Fold, Making Britain Its Biggest Market Outside China
Latvia to Bar Tourist and Occasional Buses to Russia and Belarus Until 2026
OpenAI and AMD Forge Landmark AI-Chip Alliance with Equity Option
Munich Airport Reopens After Second Drone Shutdown
Pro Europe and Anti-War Babiš Poised to Return to Power After Czech Parliamentary Vote
×