DEV Community

Cover image for Some VSCode Extensions Were Mining Crypto — Here’s What You Need to Know
Rishabh Agarwal
Rishabh Agarwal

Posted on

Some VSCode Extensions Were Mining Crypto — Here’s What You Need to Know

I’m a big fan of customizing my VSCode setup — like most devs, I’ve got a bunch of extensions installed to boost productivity and improve my workflow.

But a recent report really caught my attention: several extensions that looked completely legit were secretly running malicious scripts behind the scenes.

What Happened?

Researchers found 10 extensions on the VSCode Marketplace that:

  • Disabled Windows Defender
  • Gained admin privileges via PowerShell
  • Installed XMRig to mine Monero in the background
  • Faked install numbers to look popular
  • Disguised themselves as trusted tools like Prettier and Discord Presence

Some of these had over 900K installs — clearly meant to build false trust.

What This Means for Developers

It’s a serious wake-up call for all of us who rely heavily on third-party tools. Even trusted environments like VSCode aren’t immune to abuse.

Here’s how to stay safe:

  • Don’t trust install counts alone — they can be manipulated
  • Verify the publisher — check for an established history
  • Avoid newly published extensions unless vetted
  • Keep your system’s security settings enabled

Microsoft has removed the malicious extensions and blocked the accounts behind them. But this incident highlights a bigger issue: the need for better vetting and more awareness on our end.

👉 I wrote a full breakdown, including the list of affected extensions and how the attack worked.

Read it here

Top comments (0)