Two-Line Code Injection in Compromised VS Code Extension Triggers Supply Chain Attack

ReversingLabs (RL) researchers have uncovered a surge in malicious packages targeting cryptocurrency users and developers.

Notably, RL’s Karlo Zanki reported on PyPI packages designed to infiltrate the Solana ecosystem, while Lucija Valentić exposed npm packages that steal crypto funds by injecting code into legitimate local packages.

These incidents highlight a growing trend: attackers increasingly use open-source repositories as delivery vehicles for malware, often relying on “typosquatting”—the practice of mimicking legitimate package names to trick unsuspecting developers into downloading malicious code.

However, these are not the only threats facing the software supply chain. More sophisticated attacks, such as those that compromised SolarWinds Orion, 3CX’s DesktopApp, and XZ Utils, involve tampering with the development pipelines of trusted projects.

These attacks can have devastating consequences, potentially impacting thousands of organizations by inserting malicious code into widely used software.

The ETHcode Compromise: A Case Study in Supply Chain Vulnerability

RL researchers recently identified a textbook example of a supply chain attack with the compromise of ETHcode, a legitimate Visual Studio Code (VS Code) extension used by Ethereum developers.

ETHcode, maintained by the 7finney GitHub organization, had nearly 6,000 installs and was considered a trusted tool for smart contract development.

The breach began on June 17, when a newly created GitHub account, Airez299, submitted a pull request (PR) promising to modernize the codebase.

The PR appeared helpful, proposing updates and new features.

Both a 7finney member and GitHub’s AI reviewer examined the code, requesting only minor changes and missing the threat hidden within.

Buried among 4,000 lines of changes were just two lines that compromised the entire extension.

The first line introduced a new dependency, “keythereum-utils,” subtly named to resemble the legitimate “keythereum” library.

The second line invoked this dependency using Node.js’s “require” function, which executed heavily obfuscated code.

Upon deobfuscation, RL researchers discovered that the malicious script spawned a hidden PowerShell process to download and run a batch script from a public file-hosting service.

The full capabilities of this second-stage payload are still under investigation, but it is suspected to target crypto assets or compromise Ethereum contracts under development.

Upon discovery, RL alerted Microsoft, leading to the extension’s removal from the VS Code Marketplace on June 26.

The 7finney team quickly issued a clean update (version 0.5.1) on July 1, removing the malicious code and restoring user safety.

Lessons Learned and Steps Forward for Developers

The ETHcode incident underscores the urgent need for vigilance in software supply chains. Unlike typical typosquatting attacks, this compromise leveraged a legitimate, widely used extension and exploited the trust inherent in open-source collaboration.

The attack was facilitated by VS Code’s automatic extension updates, potentially spreading malware to thousands of developer systems.

Key takeaways for developers and teams include:

• Manually verify contributor identities. New GitHub accounts submitting major changes should raise immediate red flags.
• Scrutinize new dependencies. Always review files like package.json for unexpected additions and vet them through security services.
• Leverage security tools. Platforms like RL’s Spectra Assure can flag suspicious behaviors and help compare software versions for unauthorized changes.

RL continues to monitor the situation and share updates with the community.

The company has also launched a VS Code community on secure.software, enabling developers to query and assess suspicious extensions.

As this incident demonstrates, even trusted software can be compromised with minimal changes, making rigorous review and proactive security measures essential in defending against modern supply chain attacks.

Indicators of Compromise (IOCs):

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates