A malicious Visual Studio Code extension posing as the popular “Material Icon Theme” has been used to attack Windows and macOS users, turning the add-on into a hidden backdoor.
The fake extension shipped through the marketplace with backdoored files, giving the attackers a direct path into developer workstations once it was installed.
After installation, the extension behaved like a normal icon theme, so most users had no reason to suspect anything was wrong.
Behind the scenes, the package contained two Rust-based implants that were ready to run native code on both operating systems and reach out to a remote command server.
Nextron Systems security researchers identified the implants in version 5.29.1 and traced their execution back to a loader script named extension.js placed in dist/extension/desktop next to the native payloads os.node on Windows and darwin.node on macOS.
This shows how the malicious files mirror the folder tree of the real extension to blend in.
.webp "Malicious VS Code Extension as Icon Theme Attacking Windows and macOS Users 3")
Once the extension is activated in VS Code, extension.js loads the correct Rust implant for the current platform and hands control over to the attacker code.
From that moment, the extension stops being a harmless add-on and becomes a loader for further stages that are fully controlled from outside the victim machine.
Infection mechanism and command chain
This section provides a complete technical breakdown of how the implants talk to their command server and fetch follow-up payloads.
The Rust binaries do not use a fixed URL. Instead, they pull their instructions from data stored in a Solana blockchain wallet address, which acts as a hard-to-block control channel.
A simplified view of the loader logic in extension.js is shown below:-
function activate() {
const bin = process.platform === "win32" ? "os.node" : "darwin.node";
const native = require(__dirname + "/desktop/" + bin);
native.run();
}The native code reads the wallet data, base64-decodes it, and then contacts a command server to download a large base64 blob, which is an AES-256-CBC-encrypted JavaScript file.
.webp "Malicious VS Code Extension as Icon Theme Attacking Windows and macOS Users 4")
As a backup, the same next stage can also be fetched from a hidden Google Calendar event that stores the payload URL with invisible Unicode tricks. This illustrates the C2 chain from the blockchain wallet to the decrypted script.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
