A significant malware campaign has infected dozens of Visual Studio Code (VS Code) extensions. As a consequence, 13 extensions on Open VSX and one on the Microsoft Extension Marketplace have been hijacked. The attack, which started on the 17th of October 2025, is still reverberating through the developer community. The malicious extensions used in this attack have already been downloaded more than 35,800 times.
The threat actors used a multi-pronged and advanced technique to guarantee that the malicious code spreads. Through exploiting auto-updating capabilities built into the extensions, they were able to continuously push harmful code automatically installed to unsuspecting users. This approach hid the evil payload in otherwise known good software, making detection much more difficult.
Mechanism of the Attack
The attackers used the Solana blockchain in multiple aspects of their command-and-control (C2) infrastructure to make it more resistant to detection and mitigation. This out of the ordinary approach let them bypass normal takedown measures normally used to combat nefarious software.
The malicious code embedded within the impacted extensions hunted for transactions associated with a certain wallet. This wallet is operated by an attacker, within the Solana blockchain. The wallet known as 28PKnu7RzizxBzFPoLp69HLXp9bJL3JFtT2s5QzHsEA2 was at the center attack.
After identifying relevant transactions, the code extracted a Base64-encoded string from the memo field. By decrypting the string we were able to identify the C2 server used for downloading further payloads. According to the server IP addresses listed in the press release, these servers were 217.69.3[.]218 and 199.247.10[.]166.
“It’s a worm designed to spread through the developer ecosystem like wildfire.” – Idan Dardikman
Advanced Evasion Techniques
The attack is evidence of a very high-order sophistication. It does this rather intelligently by using invisible Unicode characters to obscure malicious code from nagging code editors. According to cybersecurity expert Idan Dardikman, “The attacker used Unicode variation selectors – special characters that are part of the Unicode specification but don’t produce any visual output.” This brilliant trick easily let the attackers make their code totally undetectable.
Dardikman further elaborated on the implications of this evasion tactic: “Invisible Unicode characters that make malicious code literally disappear from code editors” pose significant challenges for developers and security systems alike.
These implications from such sophisticated evasion techniques should serve as a call for increased awareness among the developer community. As developers increasingly rely on extensions for functionality, they must remain aware of the potential risks associated with third-party software.
Data Exfiltration and Control
The impact of the attack is greater than just infection, as indicated by the massive exfiltration of data. As the attack unfolded, the Zombi module released and dropped multiple components. This included a SOCKS proxy, WebRTC modules, BitTorrent’s DHT, HVNC for remote control functionality.
Data exfiltrated from infected systems was transmitted to a remote endpoint managed by the threat actor at 140.82.52[.]31:80. Don’s expertise in threat intelligence, vulnerability discovery and exploit development expands the attackers’ capabilities beyond simply controlling infected machines—to being able to exfiltrate sensitive information from compromised systems.
Within hours, our experts recognized this as malicious activity. They caution that the attack’s detailed development and delivery systems might remain a reemerging threat even after a near-term speculation subsides.