Open VSX Extension Weaponized – Sophisticated Malware Campaign

January 30, 2026 Faeem BLOGS 0

Researchers have uncovered a malware campaign in the Open VSX extension marketplace, where attackers disguised a malicious package as the Angular Language Service extension, compromising over 5,000 developer workstations.

Attack Overview

  • Extension disguise: Bundled legitimate Angular & TypeScript components with encrypted malware code.
  • Trigger: Payload activated when developers opened HTML or TypeScript files.
  • Duration: Operated undetected for two weeks in the marketplace.
  • Downloads: 5,066 before discovery.

Technical Details

  • Encryption: Payloads decrypted using AES-256-CBC.
  • C2 infrastructure: Hosted via Solana blockchain using Etherhiding technique.
    • Queries Solana wallet transaction memo fields for Base64-encoded instructions.
    • Provides persistent, censorship-resistant communication channels.
  • Backup channels: Compromised Google Calendar links used when primary servers unavailable.

Malware Capabilities

  • Credential theft: Targets developer credentials for NPM, GitHub, and cryptocurrency wallets (60+ platforms).
  • Token extraction: Steals OAuth tokens from VS Code configurations.
  • Browser manipulation: Terminates processes to unlock database files.
  • Real-time validation: Stolen credentials checked instantly for usability.
  • Exfiltration: Data compressed and transmitted to blockchain-linked servers.
  • Geographic filtering: Prevents execution on Russian systems, suggesting Russian-speaking operators.

Blockchain-Based Command Infrastructure

  • Advantages for attackers:
    • Immutability: Configuration data persists indefinitely.
    • Availability: Public RPC endpoints always accessible.
    • Resilience: Payload URLs updated without modifying extension.
  • Observed activity:
    • Solana wallet BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC.
    • 10 configuration updates in the past month.
    • Latest update: Jan 28, 2026.
  • Outcome: Eliminates single points of failure, resists takedown efforts.

Defensive Recommendations

  • Immediate removal: Uninstall suspicious Angular Language Service extensions from Open VSX.
  • Credential rotation: Reset NPM, GitHub, and wallet credentials if exposed.
  • Monitoring: Inspect VS Code configurations for unauthorized OAuth tokens.
  • Blockchain awareness: Track suspicious Solana wallet activity tied to Etherhiding.
  • Marketplace vigilance: Strengthen extension vetting and anomaly detection in Open VSX ecosystems.

Takeaway

This campaign demonstrates how attackers weaponize developer ecosystems by embedding malware into trusted productivity tools. By leveraging blockchain-based C2 infrastructure, they achieve resilient, takedown-resistant operations. Developers must remain vigilant, as compromised extensions can serve as high-value attack vectors for credential theft and supply chain compromise.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.