Germany Times

Unity and Justice and Freedom
Saturday, Dec 13, 2025
Germany Times
Skip music »

Hackers Are Hiding Malware in Open-Source Tools and IDE Extensions

The common belief that “open source is safe because everyone can inspect the code” is misleading. In reality, most open-source projects include add-ons and components that are not open source at all — and these hidden parts can easily contain spyware, malware, and viruses. Once installed, they can take over both the user’s computer and the servers running the so-called open-source code, giving hackers full control to do whatever they want.

A newly uncovered cyberattack—one of the most sophisticated developer-focused campaigns seen in recent years—is weaponizing the daily workflow of software engineers. 

Security companies have revealed a malicious operation in which attackers insert stealthy malware into seemingly harmless extensions and open-source tools used by tens of thousands of developers worldwide. 

These extensions appear completely legitimate, yet silently exfiltrate highly sensitive data such as passwords, Wi-Fi access credentials, authentication tokens, clipboard contents, and even live screenshots taken directly from developers’ machines.


Compromised VS Code Extensions: “Bitcoin Black” and “Codo AI”

Two Visual Studio Code extensions were confirmed to contain embedded malicious components: the Bitcoin Black theme and an AI assistant tool called Codo AI. Both extensions looked fully legitimate on the marketplace and performed their advertised functions, which helped them evade suspicion and achieve wide adoption.

Once installed, the extensions deployed an additional malicious payload that continuously harvested data from infected devices. The threat actors were not content with collecting passwords alone. The malware captured real-time screenshots of developers’ screens—revealing source code, Slack discussions, credentials, internal documentation, and confidential project directories.

This level of visibility allows attackers to map entire workflows, understand sensitive architectures, and target organizations with precision.


The Attack Technique: DLL Hijacking as a Delivery Vehicle

The operation relied on an advanced method known as DLL hijacking, which abuses the way legitimate software loads system libraries.

The attackers downloaded a real, benign screenshot tool (Lightshot) onto the victim’s machine, pairing it with a malicious DLL that carried the same filename as the tool’s expected library. When Lightshot launched, it automatically loaded the attacker’s counterfeit DLL. This triggered the malware’s execution without raising suspicion.

Security researchers found that the malware collected:

  • Continuous screenshots and clipboard data

  • Wi-Fi passwords and saved wireless credentials

  • Browser cookies, authentication tokens, and active sessions (via Chrome and Edge in headless mode)

  • Information about installed software, running processes, and development tools

Koi Security reports that the attackers have been iterating and improving the operation, increasingly using “clean” and innocuous-looking scripts to blend in with normal developer activity.


The Campaign Is Spreading Beyond VS Code

While the first findings emerged in VS Code, similar malicious injections are now appearing across the broader open-source ecosystem:

  • npm and Go: Malware packages imitating the names of popular, trusted libraries

  • Rust: A library called finch-rust masqueraded as a scientific computation tool, but instead loaded an additional malware component called sha-rust

This reflects a direct attack on the software supply chain—the trust mechanism developers rely on when importing packages, extensions, or dependencies. By compromising tools that sit at the heart of software development, attackers gain privileged access to entire organizations.


Why This Threat Is So Dangerous

A single developer installing one benign-looking extension can unknowingly trigger a breach across the entire company:

  • Theft of core, proprietary source code

  • Takeover of GitHub and other cloud development accounts

  • Infection of CI/CD pipelines and build environments

  • Exposure of sensitive customer data, credentials, and internal architecture

Because development environments are privileged by design—holding secrets, tokens, SSH keys, and code—the blast radius of compromise is enormous.

Traditional static code scanning is insufficient for detecting these attacks. The extensions themselves often appear legitimate or include harmless code alongside hidden payloads. What is required is real-time behavioral monitoringcapable of flagging anomalous actions—such as a theme extension attempting to access stored passwords.


Recommended Security Measures for Developers and Organizations

To reduce exposure, cybersecurity firms recommend the following defensive steps:

  1. Enable multi-factor authentication on all development accounts, including GitHub, GitLab, cloud providers, and CI/CD tools.

  2. Verify the identity and reputation of extension publishers before installation.

  3. Avoid anonymous, poorly reviewed, or unknown plugins—even if they appear harmless.

  4. Adopt security tools that include behavioral detection, not only static scanning.

  5. Treat all AI-powered development tools with caution, especially those requesting elevated system permissions.

  6. Conduct regular audits of development environments, including browser sessions, secrets, stored tokens, and installed extensions.


This attack marks a turning point in developer-focused cybercrime. 

By targeting the very tools that developers rely on daily, attackers gain unprecedented access to the global software ecosystem. The findings underscore the urgent need for stronger supply-chain security, rigorous extension vetting, and behavioral monitoring to defend the world’s most sensitive development workflows.

AI Disclaimer: An advanced artificial intelligence (AI) system generated the content of this page on its own. This innovative technology conducts extensive research from a variety of reliable sources, performs rigorous fact-checking and verification, cleans up and balances biased or manipulated content, and presents a minimal factual summary that is just enough yet essential for you to function as an informed and educated citizen. Please keep in mind, however, that this system is an evolving technology, and as a result, the article may contain accidental inaccuracies or errors. We urge you to help us improve our site by reporting any inaccuracies you find using the "Contact Us" link at the bottom of this page. Your helpful feedback helps us improve our system and deliver more precise content. When you find an article of interest here, please look for the full and extensive coverage of this topic in traditional news sources, as they are written by professional journalists that we try to support, not replace. We appreciate your understanding and assistance.
Read more
Newsletter
Related Articles

Unelected Chief EU Tyrant Ursula von der Leyen commenting to Trump : “It is the voters who decide who is the leaders”

The hypocrisy is off the scale here - the whole of Europe know Ursula is an unelected ruler, against the will of the Ezu voters who never got the chance to vote.

Why Is the EU Forcing Europeans to Pay More for Cars Just to Protect Its Outdated Auto Industry?

China has reopened discussions with the European Union to allow theirminimum-price scheme for electric vehicles after the EU imposed 45% tariffs and raised complaints about alle...

Germany is facing difficult years ahead, German Chancellor Friedrich Merz says.

According to him, significant changes are expected in the fields of security and defense, as well as in economic policy. This is due to the fact that Germany now “lives in a dif...

The 50 cm wide Fiat Panda: Italy’s tiniest car invention.

“Our relationship with the United States has changed,” announced Ursula von der Leyen at the POLITICO Twenty-Eight Gala, after President Trump rather impolitely described Europe’s leadership as “weak.”

“Let’s stand up for a unified Europe,” she declared — as though repeating the line with sufficient conviction might somehow transform Brussels into a democratic and legitimate a...

Does being a white minority now qualify as the new American dream?

Is that really what the Constitution’s protection of free speech was meant to allow? Does democracy have to commit suicide just to prove it is a democracy?

Germany Tells U.S.: Asylum Cut in Half Under Merz’s Flip-Flop Policy

Chancellor Friedrich Merz informed the U.S. President that Germany’s revised immigration and asylum measures have slashed applications by nearly 50%, with a full results briefin...

In Poland, a journalist’s conversation with a senator suddenly turned into a scandal: “Please do not touch me.”

The confrontation broke out in the corridors of the Polish Sejm during a discussion about ending the war in Ukraine and Poland’s alleged absence from the negotiation table.

BULGARIA RISES: Bulgaria has reached a breaking point. What began as frustration over corruption and economic decline has exploded into one of the largest public uprisings in the democratic era

Sofia’s city center is now completely overrun by crowds so vast that drone cameras “cannot see the end of the crowd,” according to on-scene footage.

President Trump's administration wants the ICC to amend its founding document to ensure it does not investigate the Republican president and his top officials, threatening new US sanctions on the court if it did not

Larry Fink CEO of Blackrock - the largest wealth management company in the world says “the digitalisation of all and financial assets will be stored in digital wallets - it will happen worldwide and it will happen very rapidly”

Von der Leyen Unveils EU–India Talent Office, for secondary (Legal) Migration Routes

Ursula von der Leyen says that to prevent illegal border crossings, "we must open more safe and legal pathways to Europe," and announces, as part of the new "talent partnerships...
Playlist Hide
0:00
0:00
Open
0:00
0:00
Close
Welcome to The Definition of Insanity: Germany Edition
Superman Franchise Achieves Success with Latest Release
Denmark Increases Retirement Age to 70, Setting a European Precedent
Trump Rules Out Third Term, Names JD Vance and Marco Rubio as Potential Successors
Specialized anti-drone weapons deployed among security personnel Ahead of Papal Funeral
Bill Maher Slams Liberals for ‘Trump is Hitler’ Smear: ‘Insult to Holocaust Victims
EU Commission Postpones Retaliatory Tariffs on U.S. Imports
Global Reactions to New U.S. Tariffs Announced by President Trump
Europe's Shift Towards Local Tech Alternatives Amid US Tensions
OpenAI Secures Historic $40 Billion Funding Round Amid Transition Challenges
Passenger Arrested After Indecent Act During SWISS Air Flight
Global Oil Prices Experience Volatility Amid Geopolitical Tensions
OpenAI Launches Advanced Image Generator for ChatGPT
Sepp Blatter and Michel Platini Cleared of Corruption Charges by Swiss Court
Germany Approves National Debt Increase for Military Investments
Understanding Dogecoin: Origins, Market Dynamics, and Current Trends
Europe's Shift: Increasing Defense Spending at the Expense of Welfare and Health
Istanbul Mayor Ekrem Imamoglu Interrogated Amid National Protests
The Evolution of the Chinese Automotive Industry: A Global Perspective
Trump and Zelenskyy Engage in Constructive Dialogue Amidst Ceasefire Talks
Federal Reserve Lowers Economic Growth Projections Amid Tariff Concerns
EU Accuses Google and Apple of Violating Digital Market Rules Amid Tensions with U.S.
Serbia's Government Faces Criticism Over Use of Sonic Weapons Against Protesters
Massive Protests Erupt in Serbia Following Deadly Railway Station Collapse
China Launches 'Zhulong' C-14 Nuclear Battery Promising Extended Lifespan
Facebook and X Approve Advertisements Containing Anti-Semitic and Anti-Muslim Content in Germany
NATO Announces Shift in Policy Regarding Ukraine Membership
Bosnia and Herzegovina on the Brink of a Major Crisis Amidst Rising Tensions
Putin Expresses Skepticism Over U.S.-Proposed Ceasefire in Ukraine
French PM Bayrou Defies US Tariff Threats Amid Growing Trade Tensions
EU Announces Retaliatory Tariffs Against U.S. Imports Amid Trade Tensions
Romania Disqualifies Far-Right Candidate Călin Georgescu from Presidential Election Rerun
Romania Excludes Top Presidential Contender Călin Georgescu from Election Repetition
Radioactive Coolant Leak Reported at Olkiluoto 3 Nuclear Reactor
Russian Teacher Investigated Following Explicit Content Display in Classroom
Poland Initiates Comprehensive Military Training for Adult Males Amid Defense Enhancements
Lithuania Withdraws from Cluster Munitions Convention Amid Heightened Security Concerns
Trump Expresses Preference for Negotiation with Russia Over Ukraine Amid Ongoing Conflict
Ukraine’s Foreign Minister Stresses Need for US Leadership in Peace Negotiations
EU Member States Endorse Implementation of Entry/Exit System for Non-EU Visitors
Italian MEPs Suspend Membership Amid Ongoing Qatargate Investigation
Europe Considers Strategy for Utilizing Frozen Russian Assets to Aid Ukraine
Macron Calls for Strengthened European Defense amid Russian Threats
Germany Proposes Changes to EU Fiscal Rules to Increase Defense Spending
Russia Completes Passport Issuance Program in Occupied Ukrainian Territories
Macron Plans Joint Diplomatic Visit to Washington with Zelensky and Starmer
UK and France Join Forces with Ukraine to Address Conflict with Russia
Pope Francis Remains in Stable Condition During Ongoing Recovery
MPs Express Serious Concerns Over Cuts to UK’s Aid Budget
United States Establishes Strategic Cryptocurrency Reserve, Sparks Market Surge
×