This threat involves malicious software components targeting developer tools and ecosystems, specifically Visual Studio Code extensions and open-source packages in Go, npm, and Rust. Two malicious VS Code extensions—BigBlack.bitcoin-black and BigBlack.codo-ai—were discovered on the Microsoft Marketplace, masquerading as a premium dark theme and an AI-powered coding assistant, respectively. These extensions covertly download additional payloads via PowerShell and batch scripts, employing multiple extraction methods and DLL hijacking techniques to load a rogue DLL (Lightshot.dll). This DLL steals clipboard data, WiFi credentials, installed applications, running processes, desktop screenshots, and browser session cookies by launching Chrome and Edge in headless mode. The malware exfiltrates this data to attacker-controlled servers. The malicious extensions were removed by Microsoft in early December 2025. Parallelly, researchers identified malicious packages in the Go ecosystem that typosquat trusted UUID libraries to exfiltrate data to paste sites when specific functions are invoked. In npm, a set of 420 packages published by a likely French-speaking actor follow a naming pattern and include reverse shell capabilities to exfiltrate files to Pipedream endpoints. A Rust crate named finch-rust impersonates a legitimate bioinformatics tool but acts as a loader for a credential-stealing package (sha-rust), complicating detection by separating benign and malicious code. These supply chain attacks exploit developer trust in open-source and marketplace packages, enabling attackers to harvest sensitive developer and system data, potentially facilitating further network compromise or intellectual property theft.

The impact on European organizations is significant due to the targeting of developer environments, which are critical for software development and innovation. Compromise of developer machines can lead to theft of proprietary source code, intellectual property, and sensitive credentials such as WiFi passwords and browser session cookies. This can facilitate lateral movement within corporate networks, unauthorized access to internal systems, and exposure of confidential communications (e.g., emails, Slack messages). The stealthy nature of the malware, including DLL hijacking and headless browser session hijacking, increases the risk of prolonged undetected presence. Additionally, the presence of malicious packages in popular ecosystems like npm, Go, and Rust threatens the software supply chain, potentially impacting a wide range of applications and services used by European enterprises. This could result in data breaches, operational disruption, reputational damage, and regulatory penalties under GDPR for failure to protect personal and corporate data.

European organizations should implement strict controls on the installation of VS Code extensions and open-source packages, including whitelisting approved extensions and packages and using tools to verify package integrity and provenance. Employ automated scanning solutions to detect malicious code patterns and behavior in development environments. Monitor developer workstations for unusual PowerShell or batch script executions and network connections to suspicious external domains. Enforce network egress filtering to restrict unauthorized data exfiltration channels. Educate developers about the risks of typosquatting and the importance of verifying package sources. Use endpoint detection and response (EDR) solutions capable of detecting DLL hijacking and headless browser abuse. Regularly audit installed extensions and dependencies for suspicious activity and promptly remove untrusted components. Collaborate with software supply chain security initiatives to share threat intelligence and improve detection capabilities. Finally, maintain up-to-date backups and incident response plans tailored to supply chain and developer environment compromises.