Cybersecurity researchers reported two extensions on the Microsoft Visual Studio Code Marketplace that were designed to infect developer machines with stealer malware, according to Koi Security. Koi Security researcher Idan Dardikman said the extensions posed as a premium dark theme and an AI coding assistant but contained covert functionality to download payloads, take screenshots and exfiltrate data.
Microsoft removed the packages from the Marketplace; its public list of removed extensions shows three packages published under the BigBlack name were taken down. The extensions were identified as BigBlack.bitcoin-black, removed on December 5, 2025, and BigBlack.codo-ai, removed on December 8, 2025, which had 16 and 25 installs respectively, and a third package that was removed quickly and caused no recorded impact.
Analysis found the two extensions used different delivery techniques. One activated on every VS Code action, while the AI assistant embedded malicious code inside a working tool. Earlier versions executed a PowerShell script to download a password-protected ZIP archive from an external host and extracted the payload using Expand-Archive, .NET System.IO.Compression, DotNetZip or 7-Zip. Later iterations hid the download process by using a batch script with curl to fetch an executable and DLL.
The downloaded executable was a legitimate Lightshot binary used to load a rogue Lightshot.dll via DLL hijacking. The DLL collected clipboard contents, a list of installed applications and running processes, desktop screenshots, stored Wi-Fi credentials and detailed system information, and it launched Google Chrome and Microsoft Edge in headless mode to capture stored cookies and hijack user sessions, the researchers said.
The disclosure came as Socket reported malicious packages across multiple ecosystems. Socket identified Go packages that impersonate trusted UUID libraries and can exfiltrate data, a set of 420 unique npm packages that include code for reverse shells and file exfiltration, and a Rust crate that impersonates a legitimate tool and acts as a loader for a credential-stealing payload. Socket researcher Kush Pandya said the Rust loader contains mostly legitimate code but includes a single malicious line that loads and executes the payload, which can make detection harder.
The analysis did not identify a wider campaign tied to the Marketplace packages beyond the small number of installs, and the researchers noted an attacker-controlled host used in the download chain.