Cybersecurity researchers have flagged supply chain attacks targeting Microsoft Visual Studio Code (VS Code) extensions called Ethcode, which are installed just over 6,000 times.
The compromise occurred via a GitHub Pull request opened on June 17, 2025 by a user named Airez299.
First released by 7 Finny in 2022, Ethcode is a VS code extension used to deploy and run Solidity Smart Contract on Ethereum Virtual Machine (EVM)-based blockchains. EVM is a distributed calculation engine designed to run smart contracts on the Ethereum Network.
According to the supply chain security company, the GitHub project received its last non-malicious update on September 6, 2024. This changed when Airez299 opened a pull request with the message “codebase modernizing CodeBase using VIEM integration and testing framework.”
Users claimed they added a new testing framework with Mocha integration and contract testing capabilities, and made many changes, including removing old configurations and updating to the latest version of dependencies.
While that might seem like a useful update for a project that has been dormant for more than nine months, Reversinglabs said that some of the 43 commits and around 4,000 lines of changes compromised the entire extension, allowing the unknown threat actor behind the attack to sneak into two lines of code.
This involves adding npm dependencies in the form of “keythereum-utils” in the project’s package.json file, and importing them into a typeScript file linked to the VS code extension (“src/extension.ts”).
The JavaScript library currently removed from the NPM registry is known to be heavily obfuscated and contains code to download the unknown second stage payload. The package has been downloaded 495 times.
Multiple versions of “keythereum-utils” have been uploaded to npm by users named 0xlab (version 1.2.1), 0xlabss (version 1.2.2, 1.2.3, 1.2.4, 1.2.5, and 1.2.6). The NPM account no longer exists.
“After removing the Keythereum-utils code, we were able to easily see what the script would do. We created a hidden powershell that downloads and runs batch scripts from public file hosting services,” says security researcher Petar Kirhmajer.
The exact nature of the payload is unknown, but it is believed to be part of malware that can steal cryptocurrency assets or addiction to contracts developed by users of extensions.
Following responsible disclosure to Microsoft, the extension has been removed from the VS Code Extension Market. After the malicious dependencies were removed, the extension was then revived.
“The escode package is unpublished by Microsoft,” said 0MKARA, the tool’s project maintainer, in a pull request filed June 28th.
Ethcode is the latest example of a broader and escalating trend in software supply chain attacks. Attackers use public repositories such as Pypi and NPM to deliver malware directly to the developer environment.
“The Github account Airez299, which started the Ethcode Pull request, was created on the same day that the PR request was opened,” Reversinglabs said. “Therefore, the Airez299 account does not have any previous history or activities associated with it, which strongly indicates that this is a throwaway account created with the purpose of infecting this report.
According to data compiled by Sonatype, 16,279 open source malware were discovered in the second quarter of 2025, jumping 188% from the previous year. In comparison, 17,954 open source malware were discovered in the first quarter of 2025.
Of these, over 4,400 malicious packages are designed to harvest and remove sensitive information such as credentials and API tokens.
“Malware targeting data corruption has doubled in frequency, accounting for 3% of malicious packages. It’s over 400 unique instances,” Sonatype said. “These packages are intended to damage files, inject malicious code, and disrupt the jamming applications and infrastructure.”
The North Korea-related Lazarus group has been downloaded more than 30,000 times due to 107 malicious packages. Another set of packages above 90 npm has been associated with a Chinese threat cluster called Yeshen-Asia, to collect a list of system information and running processes since at least December 2024.
These numbers highlight the increasing sophistication of attacks targeting developer pipelines, and attackers are increasingly compromising supply chains on trust in the open source ecosystem.
“Each of which was published from a separate author account, each hosted only one malicious component, all communicated with the infrastructure behind the CloudFlare-secured Yeshen.asia domain,” the company said.
“While no new technologies have been observed in this second wave, the level of automation and infrastructure reuse reflects an intentional and enduring campaign focused on theft of qualifications and stripping of secrecy.”
The development comes as Socket has identified eight fake game-related extensions in the Mozilla Firefox Add-on Store that have a variety of malicious features, ranging from adware to Google Oauth token theft.
Specifically, some of these extensions are also known to redirect to gambling sites, provide fake apple virus alerts, and secretly route shopping sessions via affiliate tracking links to win committees.
All add-on names are published by threat actors with username “mre1903”.
Calsyncmaster VPN – Grab a Proxy – 5 Nights Free Gimegim with Freddie’s Little Alchemy 2 Bubble Spinner 1V1
“Browser extensions remain the preferred attack vector due to their trustworthy status, widespread permissions and the ability to run within the browser’s security context.” “The progression from simple redirect fraud to OAuth qualification theft shows how quickly these threats evolve and expand.”
“More concerning, redirect infrastructure can be easily reused for more intrusive behaviors such as comprehensive tracking, qualification harvesting, and malware distribution.”
Source link
