Poisoned Plugins: Evelyn Stealer Hits Developers via VS Code Marketplace

Software developers remain a paramount objective for cyber-adversaries, as burgeoning malicious campaigns increasingly exploit the very instruments and environments foundational to the software development lifecycle. A poignant illustration of this trend is the emergence of the Evelyn Stealer malware, disseminated through compromised extensions within Visual Studio Code.

According to findings from Trend Micro, Evelyn Stealer is meticulously engineered to exfiltrate developer credentials, cryptocurrency assets, and other highly sensitive telemetry. The subversion of a developer’s local environment frequently serves as a strategic foothold for broader incursions into corporate infrastructures, particularly when the targeted individuals possess administrative privileges over cloud resources or production environments.

The campaign specifically targets practitioners who frequently utilize third-party VS Code enhancements. In December, researchers from Koi Security identified several deleterious add-ons—specifically BigBlack.bitcoin-black, BigBlack.codo-ai, and BigBlack.mrbigblacktheme—which facilitated the installation of a library titled Lightshot.dll. This component invoked an obscured PowerShell directive to retrieve an executable, runtime.exe, which subsequently decrypted the primary malicious module and injected it into the trusted Windows system process, grpconv.exe. This sophisticated maneuver allowed Evelyn Stealer to operate clandestinely and exfiltrate harvested data via FTP.

The breadth of intercepted intelligence is extensive, encompassing clipboard contents, inventories of installed software, cryptocurrency wallet data, active process lists, desktop captures, stored Wi-Fi credentials, and exhaustive browser telemetry from Google Chrome and Microsoft Edge. To mitigate the risk of detection, the malware is capable of identifying virtualized research environments and can terminate browser instances to facilitate seamless data extraction.

For further obfuscation, the malware manipulates browser execution parameters, deactivating graphical acceleration and logging while rendering windows in a nearly imperceptible 1×1 pixel background state. Such behavior significantly complicates detection and intervention by conventional security solutions.

Additionally, the malware employs a mutex mechanism—a synchronization object that prevents the simultaneous execution of multiple malicious instances on a single host. Trend Micro posits that the Evelyn Stealer campaign reflects an increasingly calculated offensive against the developer community, who represent high-value targets within the software security ecosystem. Concurrently, two nascent Python-based malware families have been documented: MonetaStealer, which boasts cross-platform compatibility with macOS, and SolyxImmortal, which leverages system APIs and third-party libraries to transmit stolen data via Discord webhooks. Researchers at CYFIRMA observe that SolyxImmortal prioritizes stealth and persistence, eschewing overt destruction in favor of utilizing trusted platforms for command-and-control communications.