A wave of malicious Visual Studio Code (VSCode) extensions has been discovered targeting developers and cryptocurrency users, aiming to execute supply chain attacks. First appearing in October 2024, these extensions, identified by ReversingLabs and security researcher Amit Assaraf, download heavily obfuscated PowerShell payloads from suspicious domains.
The campaign includes 18 malicious extensions, such as EVM.Blockchain-Toolkit and Ethereum.SoliditySupport, alongside an npm package named etherscancontacthandler. These were promoted with fake reviews and inflated download stats to appear credible.
The malicious extensions deliver secondary payloads through hidden PowerShell commands, decrypting AES-encrypted strings to drop and execute further malware. In tests, these payloads included files like MLANG.DLL, flagged by multiple antivirus engines as malicious.
The extensions target productivity and crypto tools, making them particularly dangerous for users in these communities. Threat actors used seemingly legitimate domains like microsoft-visualstudiocode[.]com to avoid detection.
Researchers warn developers to carefully verify the authenticity of extensions and npm packages, as these attacks underscore the growing risk of supply chain compromises in software development environments.
Read more...