Imagine this: You’re a developer, meticulously crafting code, trusting the tools you use every day. But what if those very tools are secretly spying on you, stealing your most sensitive data? That’s exactly what’s happening right now. Cybersecurity researchers have uncovered a chilling trend—malicious packages and extensions lurking in popular developer ecosystems like VS Code, Go, npm, and Rust, designed to siphon your data without your knowledge. And this is the part most people miss: these threats are disguised as harmless themes, AI assistants, and trusted libraries, making them nearly impossible to detect at first glance.
Here’s the breakdown: Two new extensions on the Microsoft Visual Studio Code (VS Code) Marketplace were recently discovered, masquerading as a premium dark theme and an AI-powered coding assistant. But their true purpose? To infect developer machines with stealer malware. These extensions don’t just stop at capturing your screen—they steal WiFi passwords, read your clipboard, hijack browser sessions, and send everything to an attacker-controlled server. As Koi Security’s Idan Dardikman puts it, ‘Your code, your emails, your Slack DMs—whatever’s on your screen, they’re seeing it too.’ And that’s just the beginning.
The culprits? Extensions named BigBlack.bitcoin-black (16 installs) and BigBlack.codo-ai (25 installs), both removed by Microsoft in early December 2025. But here’s where it gets controversial: Microsoft also removed a third package, BigBlack.mrbigblacktheme, from the same publisher, raising questions about how such threats slip through the cracks in the first place. While BigBlack.bitcoin-black triggers on every VS Code action, Codo AI embeds its malicious code within a functional tool, making it harder to detect. Earlier versions even used PowerShell scripts to download password-protected ZIP archives, though a visible PowerShell window in one version might have tipped off users. Later iterations, however, streamlined the process, hiding the window and using batch scripts to download rogue DLLs.
But VS Code isn’t the only ecosystem under attack. Socket researchers identified malicious packages across Go, npm, and Rust, each with its own devious twist:
Go Packages: Two packages, github[.]com/bpoorman/uuid and github[.]com/bpoorman/uid, have been impersonating trusted UUID libraries since 2021. They exfiltrate data to a paste site called dpaste whenever an application calls a supposed helper function named ‘valid.’
npm Packages: A staggering 420 unique npm packages, published by a likely French-speaking threat actor, follow a naming pattern like ‘elf-stats-’. Some contain code to execute reverse shells and exfiltrate files to a Pipedream endpoint.
Rust Crate: A crate named finch-rust, published by faceless, impersonates the legitimate bioinformatics tool ‘finch.’ It acts as a loader for a malicious payload, sha-rust, which steals credentials when a developer uses the library’s sketch serialization functionality. As Socket researcher Kush Pandya explains, ‘This separation of concerns makes detection harder: finch-rust looks benign in isolation, while sha-rust contains the actual malware.’
But here’s the bigger question: How can developers protect themselves in an ecosystem where even trusted tools can turn against them? Are platform security measures enough, or is it time for a more proactive approach? Let us know your thoughts in the comments—this is a conversation we all need to have.
Found this eye-opening? Stay ahead of the curve by following us on Google News, Twitter, and LinkedIn for more exclusive insights.
