Software developers are facing a tricky new cybersecurity threat that hides inside the very tools they use to write code. According to Bitdefender, a malicious extension targeting the Windsurf IDE has been discovered. In this digital workspace, programmers build software, making it a lucrative target for hackers looking for sensitive data.
The attack relies on a fake extension that pretends to be a helpful tool for the “R” programming language. To trick unsuspecting users, the hackers named their file reditorsupporter.r-vscode-2.8.8-universal. This name was chosen because it looks almost identical to a popular, legitimate tool called REditorSupport. Researchers noted that the attackers “disguised as a legitimate R extension” to gain a foothold inside a developer’s private environment.
Hiding Spot on the Blockchain
What makes this discovery particularly interesting is how the malware communicates. It doesn’t use a standard server that could be easily blocked by a firewall; instead, it uses the Solana blockchain. The malware sends requests to the Solana network to “retrieve encrypted JavaScript fragments” hidden within digital transactions, Bitdefender’s researchers explained in the blog post shared with Hackread.com.
Researchers also found that the malware even drops specific files like w.node and c_x64.node once it gets onto a computer. These files act as the heavy lifters that start the actual data theft.
Selective Targeting
The malware is surprisingly selective about who it robs. Before it starts stealing, it runs a “system profiling” check to see where the user is located. If it finds any link to Russia, such as time zones like Europe/Samara, Asia/Yekaterinburg, or Asia/Magadan, it shuts itself down. According to researchers, this is a “deliberate exclusion” used by cybercriminals to avoid getting in trouble with their own local police.
If the victim is anywhere else, the malware gets to work stealing passwords and session cookies from browsers like Google Chrome. Further probing revealed that the infection is self-sustaining; it uses a PowerShell script to create a hidden task called UpdateApp that runs every time the computer starts. This ensures that even if the coding software is closed, the hackers keep their access.
Researchers noted that this campaign specifically targets developers because they usually hold “high-value credentials” like API keys, which are essentially master keys to a company’s entire network. As these tools become more central to modern work, it becomes essential for us to be extra careful about which extensions we allow into our workspaces.
