At least nine malicious Visual Studio Code extensions, which have amassed more than 300,000 installations between Apr. 4 and Apr. 7, have been leveraged as part of a sweeping cryptojacking campaign, Infosecurity Magazine reports.
Installing the nefarious VS Code extensions the most prevalent of which is Discord Rich Presence published by Mark H., who is also behind six other extensions facilitates the covert execution of a Windows security-deactivating PowerShell script and scheduled tasks prior to the deployment of the XMRig cryptocurrency mining malware, an analysis from cybersecurity startup ExtensionTotal revealed. While the two other VS Code extensions were published by different users, identical coding across all of the extensions indicates a singular origin, according to ExtensionTotal researchers. "The attackers created a sophisticated multi-stage attack, even installing the legitimate extensions they impersonated to avoid raising suspicion while mining cryptocurrency in the background," said ExtensionTotal co-founder Itay Kruk, who noted the sophistication of the attack scheme.
