Malicious VS Code Extension Uses Solana Blockchain to Deploy NodeJS Stealer Targeting Developers
What Happened – A counterfeit “R language support” extension for Visual Studio Code (named reditorsupporter.r‑vscode‑2.8.8‑universal) was discovered delivering a multi‑stage NodeJS credential stealer. The loader fetches encrypted JavaScript payloads from Solana blockchain transactions, decrypts them on the host, and executes code that harvests Chromium‑based browser passwords, cookies, and other sensitive data. Persistence is achieved via a hidden PowerShell scheduled task.
Why It Matters for TPRM –
- Supply‑chain abuse of a trusted IDE extension bypasses traditional endpoint controls.
- The blockchain‑based payload distribution makes takedown and attribution extremely difficult.
- Compromised developer machines can expose privileged API keys, cloud credentials, and downstream third‑party services.
Who Is Affected – Software development teams, SaaS providers, cloud‑native enterprises, and any organization that allows developers to install VS Code extensions.
Recommended Actions –
- Block installation of unsigned or third‑party VS Code extensions on corporate workstations.
- Enforce application whitelisting and monitor for unexpected scheduled tasks.
- Conduct credential rotation for any API keys or cloud secrets stored on developer machines.
Technical Notes – The attack vector is a malicious IDE extension (MALWARE) that retrieves its payload from Solana blockchain transactions (no CVE involved). The stolen data includes saved Chromium passwords, session cookies, and other browser artifacts. Source: Bitdefender Labs