VS Code Extension Impersonating Zoom Targets Google Chrome Cookies

This report analyzes a malicious VS Code extension uploaded in late November that impersonated Zoom and was updated to include functionality to access and exfiltrate Google Chrome cookies via a hardcoded endpoint (https://api.storagehb.cn). The authors document the extension's files (dist/extension.js and src/extension-web.js), activation on startup, use of sqlite3 to read the Chrome Cookies SQLite DB, embedded secrets, version history suggesting staged deployment, and provide IOCs (domain, marketplace asset host, VSIX SHA-256) alongside defensive recommendations for vetting extensions and restricting access.