Fake Windsurf IDE Extension Uses Solana Blockchain to Steal Developer Data
Bitdefender researchers discovered a malicious Windsurf IDE extension disguised as a legitimate R programming tool (reditorsupporter.r-vscode-2.8.8-universal) that steals developer credentials using the Solana blockchain to retrieve encrypted malicious payloads. The malware selectively targets developers outside Russia, harvesting passwords and session cookies while maintaining persistence via hidden PowerShell tasks to exfiltrate high-value API keys and credentials.
Summary
Bitdefender researchers discovered a malicious Windsurf IDE extension disguised as a legitimate R programming tool (reditorsupporter.r-vscode-2.8.8-universal) that steals developer credentials using the Solana blockchain to retrieve encrypted malicious payloads. The malware selectively targets developers outside Russia, harvesting passwords and session cookies while maintaining persistence via hidden PowerShell tasks to exfiltrate high-value API keys and credentials.
Full text
Security Blockchain MalwareFake Windsurf IDE Extension Uses Solana Blockchain to Steal Developer Data Cybersecurity researchers at Bitdefender have discovered a malicious Windsurf IDE extension using the Solana blockchain to steal developer credentials. byDeeba AhmedMarch 19, 20262 minute read Software developers are facing a tricky new cybersecurity threat that hides inside the very tools they use to write code. According to Bitdefender, a malicious extension targeting the Windsurf IDE has been discovered. In this digital workspace, programmers build software, making it a lucrative target for hackers looking for sensitive data. The attack relies on a fake extension that pretends to be a helpful tool for the “R” programming language. To trick unsuspecting users, the hackers named their file reditorsupporter.r-vscode-2.8.8-universal. This name was chosen because it looks almost identical to a popular, legitimate tool called REditorSupport. Researchers noted that the attackers “disguised as a legitimate R extension” to gain a foothold inside a developer’s private environment. Hiding Spot on the Blockchain What makes this discovery particularly interesting is how the malware communicates. It doesn’t use a standard server that could be easily blocked by a firewall; instead, it uses the Solana blockchain. The malware sends requests to the Solana network to “retrieve encrypted JavaScript fragments” hidden within digital transactions, Bitdefender’s researchers explained in the blog post shared with Hackread.com. Researchers also found that the malware even drops specific files like w.node and c_x64.node once it gets onto a computer. These files act as the heavy lifters that start the actual data theft. Selective Targeting The malware is surprisingly selective about who it robs. Before it starts stealing, it runs a “system profiling” check to see where the user is located. If it finds any link to Russia, such as time zones like Europe/Samara, Asia/Yekaterinburg, or Asia/Magadan, it shuts itself down. According to researchers, this is a “deliberate exclusion” used by cybercriminals to avoid getting in trouble with their own local police. If the victim is anywhere else, the malware gets to work stealing passwords and session cookies from browsers like Google Chrome. Further probing revealed that the infection is self-sustaining; it uses a PowerShell script to create a hidden task called UpdateApp that runs every time the computer starts. This ensures that even if the coding software is closed, the hackers keep their access. Researchers noted that this campaign specifically targets developers because they usually hold “high-value credentials” like API keys, which are essentially master keys to a company’s entire network. As these tools become more central to modern work, it becomes essential for us to be extra careful about which extensions we allow into our workspaces. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts BlockchainCodingCybersecurityDevelopersMalwareScamSolana Leave a Reply Cancel reply View Comments (0) Related Posts Security Privacy Technology Top 10 VPN Services For 2019 VPN is a billion-dollar industry and lately, it has become a vital part of users conscious about their… byZehra Ali Read More Security Cyber Attacks Malware Ivanti VPN Flaws Exploited by DSLog Backdoor and Crypto Miners Ivanti has released patches for vulnerabilities found in its enterprise VPN appliances, including two flagged as exploited zero-days… byDeeba Ahmed News Malware Security TikTok Invisible Body Challenge Trend Abused to Drop Malware The Invisible Body Challenge has over 27 million views to date, making the trend extremely popular. byWaqas Read More Security Cyber Attacks FBI Alert: Silent Ransom Group Utilizes Callback Phishing for Network Hacks The culprit behind these callback phishing attacks, known as Silent Ransom Group (SRG), is also identified as Luna Moth. byDeeba Ahmed
Indicators of Compromise
- malware — reditorsupporter.r-vscode-2.8.8-universal
- malware — w.node
- malware — c_x64.node
- malware — UpdateApp