Vibe coders targeted with Pokémon, Minecraft-themed add-ons: malware steals crypto

Published: 1 November 2025
Last updated: 1 November 2025
cybercriminals lure vibe coders with Pokemon theme

Looking at plain code feels too boring, so you add a little animated sidekick to keep you entertained or a new theme to keep you focused? Pwned. Security researchers are flagging a wave of VS Code extensions that quietly mine cryptocurrency or potentially worse.

Secure Annex researcher John Tuckner uncovered five new malicious extensions on the VS Code marketplace, all published by the same developer using the alias “DevelopmentInc.”

Already downloaded hundreds of times, they pose as tools tailored for developers with AI (vibe coders). VS Code is a very popular and free code editor from Microsoft and a go-to choice for programmers.

ADVERTISEMENT

One extension suggests it will add Pokémon-themed syntax highlighting, animated sprites, dynamic status bar colors, random “wild Pokémon encounters” in the output panels, and even code snippets for Pokémon-themed comments. Neat.

“Sadly, the extension contains no theme functionality, dancing Pikachu sprites, and immediately executes malicious code upon installation,” Tuckner said in a blog post about malicious cryptominers on the VS Code marketplace.

“The extension only downloads malware instead of even changing highlighting syntax or showing Pikachu when you hover functions.”

extensions-vs-code

The obfuscated extension code hides the “activate()” function, which runs automatically when the extension is enabled. It downloads malware from an attacker-controlled server, saves it to the temporary directory as sap.exe, and then executes it. The malicious extension attempts to blend in with the traffic by spoofing requests as if they originated from Chrome.

During testing, the retrieved malicious payload was identified as Monero cryptomining malware, capable of privilege escalation, disabling Windows Defender, and achieving persistence. It would select the closest mining pool, attempt to download a region-specific mining executable, and run it.

The researcher utilized AI tools to analyze the extension on the Secure Annex MCP server, which aids in decoding obfuscated code and analyzing behaviors.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us
ADVERTISEMENT

Other extensions had similar functionality, despite claiming to be “the best AI coding agent for frontend,” offering a Minecraft theme for debugging, or similar features.

The malicious extensions appear to have been removed from the marketplace at the time of writing; however, similar threats can resurface quickly – be cautious before installing any add-ons.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
By participating in this viral trend, you help train AI where it struggles the most
Windows hibernation may contribute to SSD wear as storage costs rise
UFO skeptic Michael Shermer apologizes to David Grusch
Man tries to make a sale on Facebook Marketplace, gets scammed out of $300 via Zelle
Critical FFmpeg flaw discovered: just watching a video can fully compromise your system
The world's top intelligence alliance: AI could supercharge cyberattacks within months
ADVERTISEMENT