‘WhiteCobra’ floods VSCode market with crypto-stealing extensions www.bleepingcomputer.com/news/secu…

A threat actor named WhiteCobra has targeting VSCode, Cursor, and Windsurf users by planting 24 malicious extensions in the Visual Studio marketplace and the Open VSX registry. The campaign is ongoing as the threat actor continuously uploads new malicious code to replace the extensions that are removed.

In a public post, core Ethereum developer Zak Cole described how his wallet was drained after using a seemingly legitimate extension (contractshark.solidity-lang) for Cursor code editor. Cole explained that the extension featured all the signs of a benign product with professionally designed icon, a detailed description, and 54,000 downloads on OpenVSX, Cursor’s official registry.

WhiteCobra is the same group responsible for the $500,000 crypto-theft in July, through a fake extension for the Cursor editor, according to researchers at endpoint security provider Koi.