Edit 2025-04-09 16:42Z - article was updated with a tenth package (Prettier - Code)
A set of ten VSCode extensions on Microsoft’s Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer for Monero.
ExtensionTotal researcher Yuval Ronen has uncovered ten VSCode extensions published on Microsoft’s portal on April 4, 2025.
The package names are:
- Prettier - Code for VSCode (by prettier) - 486K installs
- Discord Rich Presence for VS Code (by
Mark H) - 189K installs- Rojo – Roblox Studio Sync (by
evaera) - 117K installs- Solidity Compiler (by
VSCode Developer) - 1.3K installs- Claude AI (by
Mark H)- Golang Compiler (by
Mark H)- ChatGPT Agent for VSCode (by
Mark H)- HTML Obfuscator (by
Mark H)- Python Obfuscator for VSCode (by
Mark H)- Rust Compiler for VSCode (by
Mark H)
With features like this, remind me again why I should use VSCode?
You can get similar miners on any platform, where there is a marketplace or store with minimal oversight. Obviously you can target different demographics, but it’s not something special in vscode that made this specifically available here.
Or do you say the xz attack from last year was a “feature of linux” and linux shouldn’t be used by anyone?
The extension store of vscode is a godsend, but you can use the third party unofficial fully foss store unrelated of microsoft: https://open-vsx.org/ You can literally find an extensions for any workflows or languages, please show me another editor where you can find language support for mikrotik rsc script files, AND home assistant style yaml AND AutoCAD dialect of lisp called AutoLisp. Just picked 3 obscure I actually used in my life.