Executive Summary
In January 2026, researchers uncovered a malware campaign exploiting the Microsoft VS Code extension ecosystem to deliver Evelyn Stealer, an infostealer targeting software developers. Threat actors distributed malicious extensions which downloaded and executed a secondary payload, ultimately injecting the stealer into a legitimate process. Once executed, the malware harvested sensitive information—including developer credentials, stored cookies, crypto wallets, and system data—then exfiltrated these assets via FTP to a remote server. Attackers also deployed anti-analysis and evasion techniques, enabling seamless and covert data theft that potentially compromised broader organizational systems by abusing developer environments as entry points.
This attack underscores the growing risks to the software supply chain, as developer tools become lucrative vectors for credential and asset theft. The Evelyn Stealer incident reflects an expanding trend where infostealers leverage trusted development ecosystems, highlighting the urgent need for stronger security controls and supply chain hygiene in rapidly evolving threat landscapes.
Why This Matters Now
The rapid adoption of developer tools and extensions has outpaced security reviews, making them attractive targets for infostealers like Evelyn Stealer. Organizations relying on code repositories and cloud resources are especially vulnerable to supply chain attacks, necessitating immediate attention to extension vetting, zero trust segmentation, and early threat detection to prevent credential compromise and downstream impacts.
Attack Path Analysis
The attacker initiated compromise by delivering malicious VS Code extensions to unsuspecting developers, leading to the execution of a downloader DLL. Upon successful deployment, the malware escalated privileges by injecting itself into legitimate processes in memory. The attacker sought potential lateral movement by abusing compromised developer environments to pivot to other organizational assets. Command and control was established as the malware communicated with a remote server to receive instructions and coordinate exfiltration. Sensitive data, including credentials and crypto wallets, was exfiltrated over FTP to attacker infrastructure. While no destructive impact was observed, the compromise of high-privilege developer resources posed a significant risk to organizational integrity.
Kill Chain Progression
Initial Compromise
Description
Attackers delivered malicious VS Code extensions that, when installed, executed a hidden downloader DLL to fetch and run the stealer payload.
Related CVEs
CVE-2025-49714
CVSS 7.8Trust boundary violation in Visual Studio Code - Python extension allows an unauthorized attacker to execute code locally.
Affected Products:
Microsoft Visual Studio Code - Python Extension – < 2020.9.2
Exploit Status:
no public exploitReferences:
CVE-2025-21264
CVSS 7.1Files or directories accessible to external parties in Visual Studio Code could allow unauthorized access.
Affected Products:
Microsoft Visual Studio Code – < 1.87.2
Exploit Status:
no public exploitCVE-2024-49049
CVSS 7.1Improper access control in Visual Studio Code Remote Extension allows local attackers to elevate privileges.
Affected Products:
Microsoft Visual Studio Code Remote Extension – < 0.115.1
Exploit Status:
no public exploitReferences:
MITRE ATT&CK® Techniques
Supply Chain Compromise: Compromise Software Dependencies and Development Tools
Command and Scripting Interpreter: PowerShell
Process Injection: Portable Executable Injection
File and Directory Discovery
Credentials from Password Stores: Credentials from Web Browsers
Screen Capture
Exfiltration Over C2 Channel
Impair Defenses: Disable or Modify Tools
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – User Identification and Authentication
Control ID: 8.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Regulation (EU) 2022/2554) – ICT Risk Management Framework
Control ID: Article 8
CISA Zero Trust Maturity Model 2.0 – Enforce Verification of Identity for Developer Tools
Control ID: Identity Pillar: Authentication & Access Management
NIS2 Directive – Supply Chain Security
Control ID: Article 21(2)d
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Evelyn Stealer directly targets VS Code developers through malicious extensions, stealing credentials and crypto assets from software development environments and production systems.
Information Technology/IT
IT organizations face credential theft and lateral movement risks as compromised developer environments provide access points into broader organizational cloud resources and systems.
Financial Services
High-risk sector due to cryptocurrency wallet targeting and stored credential theft, with compliance implications for PCI DSS and encrypted traffic requirements.
Computer Games
Game development studios using VS Code extensions vulnerable to source code theft and digital asset exfiltration through compromised developer workstations and environments.
Sources
- Evelyn Stealer Malware Abuses VS Code Extensions to Steal Developer Credentials and Cryptohttps://thehackernews.com/2026/01/evelyn-stealer-malware-abuses-vs-code.htmlVerified
- Malicious VSCode Extensions Discovered Containing Infostealershttps://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-on-microsofts-registry-drop-infostealers/Verified
- CVE-2025-49714 Microsoft Python Extension for Visual Studio Code Vulnerabilityhttps://cvetodo.com/cve/CVE-2025-49714Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic controls, and strict egress policy enforcement would have significantly minimized the malware's ability to move laterally or exfiltrate sensitive data, while real-time visibility and inline IPS could have alerted to or blocked malicious activity at several kill chain stages.
Control: Inline IPS (Suricata)
Mitigation: Known malicious payload downloads could be detected and blocked before infection.
Control: Zero Trust Segmentation
Mitigation: Identity-based policy could have restricted risky process behavior and limited access scope.
Control: East-West Traffic Security
Mitigation: Lateral movement blocked by enforcing inter-workload isolation and permitted service-to-service communications only.
Control: Multicloud Visibility & Control
Mitigation: Anomalous outbound connections identified and correlated with known C2 infrastructure.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized outbound FTP and data transfers prevented by granular egress filtering.
Rapid detection and analyst alerting facilitate containment and reduce further fallout.
Impact at a Glance
Affected Business Functions
- Software Development
- IT Infrastructure
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of developer credentials, source code, and access to production systems, leading to unauthorized access and data breaches.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust segmentation and identity-based policies to prevent compromised developer endpoints from accessing unnecessary cloud and production resources.
- • Deploy egress security controls and application-aware firewalls to block unauthorized outbound connections and data exfiltration methods such as FTP.
- • Leverage inline IPS to inspect and prevent malicious extension payloads, especially where unencrypted traffic can be analyzed.
- • Implement centralized multicloud visibility to rapidly detect anomalous traffic patterns and suspicious inter-workload communications.
- • Continuously monitor for and respond to anomalies in endpoint and network behavior to identify infostealer campaigns targeting developer ecosystems.
