“Evelyn Stealer” Abuses Visual Studio Code Extensions to Harvest Developer Secrets

By Ash K
“Evelyn Stealer” Abuses Visual Studio Code Extensions to Harvest Developer Secrets

A newly uncovered malware campaign known as Evelyn Stealer is drawing attention to a growing blind spot in developer security. By weaponizing malicious Visual Studio Code extensions, attackers have found a discreet way to infiltrate development environments and siphon sensitive data directly from systems trusted by engineers and DevOps teams.

Rather than exploiting traditional vulnerabilities, the campaign takes advantage of the implicit trust developers place in their tooling. Visual Studio Code extensions are widely used to improve productivity, often granted broad access to local files, environment variables, and authentication tokens without raising suspicion.

How the Evelyn Campaign Operates

The attack begins with trojanized extensions distributed through unofficial channels and promoted as useful developer utilities. Once installed, these extensions appear to function normally, minimizing user suspicion while quietly initiating the malicious workflow in the background.

Upon activation, the extension executes embedded scripts that establish persistence and begin harvesting sensitive information. The collected data is then staged locally before being exfiltrated to attacker-controlled infrastructure.

Attack chain of the Evelyn Stealer campaign abusing VS Code extensions

Targeted Data and Capabilities

Evelyn Stealer is designed to collect a wide range of high-value information commonly found on developer machines. This includes browser cookies, saved credentials, API keys, cloud access tokens, and configuration files used for deploying applications.

Particularly concerning is the malware’s ability to access development secrets that may grant downstream access to production systems. Compromised credentials can enable attackers to move laterally into cloud environments, source code repositories, or CI/CD pipelines.

Why Developer Environments Are Attractive Targets

Developer workstations often hold privileged access to internal systems while lacking the same level of monitoring applied to production servers. Industry surveys suggest that a single developer machine can contain credentials for dozens of internal services, making it a high-impact target when compromised.

The widespread adoption of Visual Studio Code further amplifies the risk. With millions of active users and thousands of extensions available, the ecosystem provides ample opportunity for malicious code to blend in among legitimate tools.

Stealth and Evasion Techniques

Evelyn Stealer emphasizes low-noise operation to avoid detection. Network communications are kept minimal, and exfiltration is often delayed to evade behavioral monitoring. In some cases, the malware leverages encrypted channels or common web services to mask outbound traffic.

By embedding itself within a trusted extension, the malware bypasses many traditional security controls that focus on standalone executables or suspicious downloads.

Mitigation and Defensive Measures

Developers and organizations are urged to review installed extensions and remove those obtained from untrusted sources. Limiting extension permissions, enforcing code signing policies, and monitoring for unusual access to credential stores can significantly reduce risk.

The Evelyn Stealer campaign highlights a broader shift in attacker strategy toward software supply chain abuse. As development tools become more powerful and interconnected, securing the developer environment is becoming as critical as protecting production infrastructure.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.