A popular code editor extension listed on the Open VSX registry was discovered carrying hidden malware that silently fetches and runs a remote access trojan (RAT) and a full infostealer directly onto developer machines without any visible warning sign.
The extension, known as fast-draft under the KhangNghiem publisher account, had accumulated over 26,000 downloads before the malicious activity embedded within several specific releases finally came to light.
The attack unfolded through a deliberate pattern spread across specific version releases. Versions 0.10.89, 0.10.105, 0.10.106, and 0.10.112 each contained code that reached out to a GitHub repository controlled by a threat actor named BlokTrooper.
The extension pulled platform-specific shell scripts directly from raw.githubusercontent[.]com/BlokTrooper/extension and piped the entire response straight into a system shell, which then downloaded and executed a full second-stage malware payload on the victim machine.
Other releases, including 0.10.88, 0.10.111, and the latest version 0.10.135, showed no such behavior, pointing strongly toward a compromised publisher account or a stolen release token rather than a maintainer who went rogue on purpose.
Aikido analysts identified the compromised extension during a careful, manual version-by-version review of the fast-draft release line.
The team disclosed the issue to the extension maintainer on March 12, 2026, through a public GitHub issue, but the report had received no response whatsoever at the time of publication.
The impact of this compromise is both broad and serious. Any developer who had one of the malicious versions installed unknowingly handed the attacker full control of their machine.
The second-stage payload ran four independent attack modules simultaneously, targeting browser credentials, crypto wallet data, local files, source code, and clipboard contents all at the same time.
With over 26,594 recorded downloads on the Open VSX registry, the potential exposure across open-source developers and software teams around the world is very significant.
The wider danger here is how the malware concealed itself inside a tool developers already trusted on a daily basis. Editor extensions typically run with broad system permissions, making them a highly attractive target for supply chain attacks.
The alternating clean-and-malicious version pattern strongly suggests someone with intermittent access to the publisher’s release pipeline, a scenario that automated scanning alone cannot reliably detect without thorough and careful manual review.
Inside the Second-Stage Attack Framework
Once the shell downloader executed, it pulled a ZIP archive, extracted it to a temporary directory, and launched four detached Node.js processes, with each one handling a separate part of the overall attack.
The first module connected back to the command-and-control server at 195[.]201[.]104[.]53 over port 6931 using Socket.IO, giving the attacker live control over mouse movement, keyboard input, screenshots, and clipboard reads.
The second module swept through browser profiles on Chrome, Edge, Brave, and Opera across Windows, macOS, and Linux, stealing saved passwords and web data.
It also targeted 25 cryptocurrency wallet extensions, including MetaMask, Phantom, Coinbase Wallet, and Trust Wallet, and uploaded the collected data to port 6936 on the same C2 server.
The third module recursively scanned the home directory for documents, environment files, private keys, shell history, and source code.
It deliberately skipped folders like .cursor, .claude, and .windsurf, showing the attacker was specifically targeting high-value AI-assisted developer environments.
The fourth module polled the clipboard every few seconds and sent captured content — including seed phrases, API keys, and passwords — straight to /api/service/makelog on the C2 server.
Developers should immediately check for any installed version of fast-draft matching 0.10.89, 0.10.105, 0.10.106, or 0.10.112 and remove it without delay.
All stored credentials, cryptocurrency wallet seed phrases, and API keys on affected machines should be rotated promptly.
Network teams should block and monitor all outbound traffic to 195[.]201[.]104[.]53 on ports 6931, 6936, and 6939, and flag any requests to raw.githubusercontent[.]com/BlokTrooper in network logs.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
