Cybersecurity researchers have uncovered a troubling new wave of supply-chain attacks targeting developers, this time hiding inside seemingly harmless Visual Studio Code extensions. Two extensions, posing as a dark theme and an AI assistant, quietly slipped past trust and ended up stealing sensitive data from anyone who installed them. Instead of offering the features they advertised, they downloaded hidden payloads, captured screenshots, and funneled user data to attacker-controlled servers.
Microsoft removed the malicious extensions BigBlack.bitcoin-black and BigBlack.codo-ai on December 5 and 8, 2025, after reports surfaced. A third extension from the same publisher, BigBlack.mrbigblacktheme, was also taken down when investigators found it contained the exact same malware.
What makes this incident even more concerning is how cleverly the attackers engineered the behavior. Bitcoin-black triggered malicious actions on nearly every VS Code interaction, while Codo AI hid its payload inside a working tool, making detection far more difficult. Early versions used PowerShell scripts to fetch malware, but later variants evolved to use silent batch scripts and curl for stealthier delivery.
The malware didn’t stop at basic data theft. It abused DLL hijacking via a legitimate Lightshot executable to lift clipboard contents, Wi-Fi passwords, browser cookies, and other system information. It even launched Chrome and Edge in headless mode to hijack active user sessions.
This discovery lands at a time when malicious open-source packages are becoming increasingly common. Researchers have also flagged harmful Go, npm, and Rust packages, including finch-rust and hundreds of npm modules, suggesting that developer ecosystems face a growing and persistent supply-chain threat.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
