MAL-2025-191166
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/vscode:open-vsx.org/l-igh-t.vscode-theme-seti-folder/MAL-2025-191166.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2025-191166
- Published
- 2025-11-19T05:55:49Z
- Modified
- 2025-11-26T00:12:27.192214Z
- Summary
- Malicious code in l-igh-t.vscode-theme-seti-folder (VSCode:https://open-vsx.org)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: google-open-source-security (dc07b5a9c4c6f86929db6d62c15f2c2a9c52912263950282c709e0b68387f54b)
This extension is malicious. When installed it runs an info stealer that exfiltrates user data including credentials and cryptocurrency wallets. The extension also provides remote access and attempts to propagate itself.
- Database specific
{ "malicious-packages-origins": [ { "sha256": "dc07b5a9c4c6f86929db6d62c15f2c2a9c52912263950282c709e0b68387f54b", "source": "google-open-source-security", "modified_time": "2025-11-19T05:55:49Z", "versions": [ "1.2.3" ], "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "import_time": "2025-11-19T05:56:22.710696Z" } ], "iocs": { "ips": [ "217.69.3.218", "199.247.10.166" ], "urls": [ "http://140.82.52.31:80/wall", "http://199.247.13.106:80/wall", "https://calendar.app.google/M2ZCvM8ULL56PD1d6", "http://217.69.3.218/qQD%2FJoi3WCWSk8ggGHiTdg%3D%3D", "http://217.69.3.218/get_arhive_npm/", "http://217.69.3.218/get_zombi_payload/qQD%2FJoi3WCWSk8ggGHiTdg%3D%3D" ] } }- References