Security researchers at Annex Security have uncovered a malicious VS Code extension in the Open VSX registry that masquerades as the popular Angular Language Service.
Published two weeks ago, it amassed 5,066 downloads before activating sophisticated malware.
The extension bundles legitimate Angular tooling (@angular/language-service 21.1.0-rc.0) and TypeScript 5.9.3.
However, it contains malicious code hidden in the extension/index.js file, posing a severe supply-chain risk to developers.
Malicious Activation and Encrypted Loader
The extension triggers on HTML or TypeScript files via package.json activation events: “onLanguage:html” and “onLanguage:typescript”.
Upon activation, it decrypts a payload using Node.js crypto with AES-256-CBC. The loader processes a large hex-encoded string:
let b = d.update('918f27c02746d05ee7d972e8985929708aea8...', 'hex', 'utf8');
b += d.final('utf8');
await new Promise(r => setTimeout(r, 500));
eval(b);This delay bypasses basic sandboxes, allowing the payload to execute with full access to the VS Code API.
Solana Blockchain For Stealthy C2
The decrypted stage-1 payload queries Solana mainnet at BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC.
It extracts Base64-encoded URLs from the memo field a technique called Etherhiding. Benefits include immutability, high availability, anonymity, and takedown resistance.
As of January 28, 2026 (UTC), the memo decoded to hxxp://217.69.11.57/VAM%2Fkax5vb7d%2FkU7RDft8A%3D%3D. The address shows 10 updates in the past month, enabling dynamic payload changes.
| IOC Type | Value | Description |
|---|---|---|
| Extension ID | angular-studio.ng-angular-extension | Malicious Open VSX package |
| Solana Address | BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC | C2 memo field for payloads |
| C2 IP | 217.69.11.57 | Stage-2 payload server |
| C2 IP | 108.61.208.161 | Data exfiltration endpoint |
Geofencing Skips Russian Systems
Before fetching payloads, the malware checks for Russian locales to avoid detection:
let isRussianLanguage = [os.userInfo().username, process.env.LANG /* etc */].some(info => /ru_RU|ru-RU|Russian/i.test(info));
let russianTimezones = ["Europe/Moscow" /* etc */];
if (_isRussianSystem()) return;It scans usernames, LANG vars, timezones, and UTC offsets (+2 to +12 hours), terminating on matches common in Russian-affiliated malware.
Persistence and Platform-Specific Execution
It creates init.json in the user’s home directory (e.g., %APPDATA% on Windows) to track execution, refreshing timestamps every 48 hours.
Platform detection routes to macOS or VM sandboxed eval for others, fetching encrypted payloads with keys from HTTP headers.
Stealer Targets Developers and Assets
The final stage steals developer credentials for supply-chain attacks:
- NPM/GitHub Theft: Dumps .npmrc tokens, env vars, git credentials, and VS Code OAuth storage; validates via API pings.
- Crypto Wallets: Scans 60+ types (MetaMask, Phantom); kills Chrome/Firefox to grab databases.
- Persistence: Deploys a hidden Node.js binary, Scheduled Task “UpdateApp”, and Registry Run key.
- Exfil: Zips data, POSTs to 108.61.208.161; uses Google Calendar for dynamic C2 updates.
Looming Worm Threat
With weeks of exposure, infected Angular developers risk compromising NPM packages or GitHub repos.
The annex warns that this stems from prior attacks like Shai Hulud and may trigger self-propagation.
Open VSX’s lax controls enable such threats—organizations must proactively scan extensions.
Researchers urge immediate uninstallation and credential rotation. Annex offers payload decryption services for verification.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.