Mining in Plain Sight: The VS Code Extension Cryptojacking Campaign
Essential information
- Published
- 08/04/2025 10:51
- Modified
- 08/04/2025 11:57
- Tags
- 2025-04-08 cryptojacking developer tools xmrig
- Related entities
- 11 observables, 5 techniques (mitre), 1 malware
Description
A sophisticated cryptomining campaign has been discovered targeting developers through seemingly legitimate VS Code extensions. The campaign, potentially reaching over one million installations, involves fake extensions published by three different authors. These extensions secretly download a PowerShell script that disables Windows security, establishes persistence, and installs an XMRig cryptominer. The most successful fake extension gained 189K installs. The attackers created a multi-stage attack, even installing legitimate extensions they impersonated to avoid suspicion. The campaign published ten different malicious extensions, with the top three showing unusually high install counts, suggesting artificial inflation. The extensions share identical code and communicate with the same C2 server. The PowerShell script sets up persistence mechanisms, disables Windows security services, and attempts privilege escalation.