Researchers Find Malicious Developer Packages Stealing Data
Cybersecurity researchers recently discovered two malicious Visual Studio Code extensions on the VS Code Marketplace that install stealer malware and download additional payloads. They also identified similarly malicious packages in the Go, npm, and Rust ecosystems targeting developer systems and credentials. The findings highlight a widening supply-chain risk for developers and underscore the need to audit dependencies and remove compromised packages.
Key Points
- 1Identify two VS Code extensions that embed stealer malware to download payloads and exfiltrate data
- 2Highlight broader supply-chain risk as malicious packages also found in Go, npm, and Rust ecosystems
- 3Warn developers to audit dependencies, remove infected packages, and rotate exposed credentials immediately
Scoring Rationale
Cross-ecosystem developer supply-chain impact and actionable mitigation, limited novelty and single-source reporting reduces broader validation.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
