Edit 2025-04-09 16:42Z - article was updated with a tenth package (Prettier - Code)
A set of ten VSCode extensions on Microsoft’s Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer for Monero.
ExtensionTotal researcher Yuval Ronen has uncovered ten VSCode extensions published on Microsoft’s portal on April 4, 2025.
The package names are:
- Prettier - Code for VSCode (by prettier) - 486K installs
- Discord Rich Presence for VS Code (by
Mark H) - 189K installs- Rojo – Roblox Studio Sync (by
evaera) - 117K installs- Solidity Compiler (by
VSCode Developer) - 1.3K installs- Claude AI (by
Mark H)- Golang Compiler (by
Mark H)- ChatGPT Agent for VSCode (by
Mark H)- HTML Obfuscator (by
Mark H)- Python Obfuscator for VSCode (by
Mark H)- Rust Compiler for VSCode (by
Mark H)
The more sandboxed the extension system, the less powerful it is.
You either have an entity that approves of extensions. Or your users have to be very careful and trusting of other people. There’s no other way.