Sophisticated Malware Lurks In Open VSX Extension With 5,066 Downloads

The discovery of a malicious VS Code extension in the Open VSX marketplace underscores a growing blind spot in the software‑development supply chain. Unlike the official Visual Studio Marketplace, Open VSX applies minimal vetting, allowing attackers to publish packages that appear legitimate. This incident follows a string of extension‑based compromises, such as the recent Shai Hulud campaign, and demonstrates how a single compromised tool can reach thousands of developers worldwide. As extensions become integral to modern IDE workflows, their security posture directly influences the integrity of code repositories and downstream products.

The malicious package masquerades as the Angular Language Service, activating on HTML and TypeScript files before decrypting a payload with AES‑256‑CBC. After a brief 500 ms delay to evade sandbox analysis, the code evaluates a hex‑encoded script that contacts a Solana blockchain address, extracting a Base64‑encoded URL from the memo field—a technique known as Etherhiding. The malware also implements geofencing checks to abort on Russian locales, creates a persistent init.json file, and deploys a hidden Node.js binary with a scheduled task, ensuring long‑term foothold on compromised machines.

The impact extends beyond individual workstations; stolen NPM tokens, GitHub OAuth data, and cryptocurrency wallet files enable attackers to hijack supply‑chain pipelines and monetize illicit assets. Enterprises that allow developers to install extensions without centralized control are especially vulnerable. Immediate remediation includes uninstalling the package, rotating all compromised credentials, and employing endpoint detection that monitors extension activity. Longer‑term defenses require strict vetting of third‑party extensions, automated scanning of VS Code add‑ons, and a zero‑trust approach to developer tooling to mitigate future supply‑chain threats.