Two malicious extensions have been found on Microsoft's Visual Studio Code Marketplace, infecting developers with malware designed to steal sensitive information. Named Bitcoin Black and Codo AI, these extensions claim to offer a color theme and an AI assistant, respectively, but are actually tools for attackers. Bitcoin Black has only one install, while Codo AI had fewer than 30 downloads at the time of reporting. Koi Security's analysis highlights that Bitcoin Black executes on every action taken in VSCode, running PowerShell code—a clear anomaly for a theme. The extension has evolved from using a visible PowerShell script to a hidden batch script, making detection more difficult. Both extensions come packaged with a legitimate version of the Lightshot screenshot tool, but also load a malicious DLL via DLL hijacking to deploy an infostealer identified as runtime.exe. This malware is capable of stealing a range of data, including WiFi credentials, clipboard contents, and screenshots. It can hijack browser sessions by running Chrome and Edge in headless mode to extract stored cookies. Notably, it targets cryptocurrency wallets like Phantom and Metamask, looking for credentials and passwords. VirusTotal flagged the malicious DLL as a threat in 29 out of 72 antivirus engines. Microsoft has been contacted regarding these extensions, but they have since confirmed that both have been removed from the marketplace. The incident underscores ongoing risks associated with downloading extensions from less reputable sources. Developers are advised to stick to trusted publishers to minimize exposure to similar threats.