A set of ten malicious VSCode extensions on the Microsoft Visual Studio Code Marketplace has been found to infect users with the XMRig cryptominer for Monero. These extensions masquerade as legitimate tools and execute a PowerShell script to install the malware while also disabling critical Windows security features. Microsoft has since removed the extensions and blocked the publisher from the marketplace.

Two novel techniques for shutting down cryptominer botnets are explored, leveraging the vulnerabilities in common mining topologies. By exploiting stratum communications, one approach can effectively ban mining proxies, resulting in a drastic reduction of their operational hashrate and revenue. The article also introduces a tool named XMRogue that aids in executing these strategies against malicious mining operations.