Edit 2025-04-09 16:42Z - article was updated with a tenth package (Prettier - Code)
A set of ten VSCode extensions on Microsoft’s Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer for Monero.
ExtensionTotal researcher Yuval Ronen has uncovered ten VSCode extensions published on Microsoft’s portal on April 4, 2025.
The package names are:
- Prettier - Code for VSCode (by prettier) - 486K installs
- Discord Rich Presence for VS Code (by
Mark H) - 189K installs- Rojo – Roblox Studio Sync (by
evaera) - 117K installs- Solidity Compiler (by
VSCode Developer) - 1.3K installs- Claude AI (by
Mark H)- Golang Compiler (by
Mark H)- ChatGPT Agent for VSCode (by
Mark H)- HTML Obfuscator (by
Mark H)- Python Obfuscator for VSCode (by
Mark H)- Rust Compiler for VSCode (by
Mark H)
Fucking what
Maybe to build one of those shitty websites where you can’t select text because every letter is in its own element.
Just that? An open source HTML minifier probably bundled with a miner.
Minification isn’t the same as obfuscation, though. The only way I can think to obfuscate HTML would be to replace every element with a custom element.
Minification is a form of obfuscation. It makes it (much) less readable.
Of course you could run a formatter over it. But that’s already an additional step you have to do. By the same reasoning you could run a deobfuscator over more obfuscated code.
That is true!
But one could make up all kinds of tactics. Especially with the help of css styles inside the document. For example: add random crap, make it invisible. Make the real content hard to see or find in the document. Why though? I don’t know! Now I am kind of curious to know what it did, if anything.