VS Code Extension Weaponized With Two Lines of Code Leads to Supply Chain Attack

A sophisticated supply chain attack has compromised ETHcode, a popular Visual Studio Code extension for Ethereum development, through a malicious GitHub pull request that required just two lines of code to weaponize the trusted software.

The attack, discovered by ReversingLabs researchers, demonstrates how threat actors can infiltrate legitimate development tools with minimal code changes, potentially affecting thousands of cryptocurrency developers worldwide.

The compromise began on June 17, 2025, when a user named Airez299 submitted a GitHub pull request to the ETHcode project with the seemingly benign message, “Modernize codebase with viem integration and testing framework.”

ETHcode, developed by 7finney organization, is a legitimate VS Code extension with nearly 6,000 user installations that enables Ethereum developers to test, debug, and deploy smart contracts across EVM-based blockchains.

The malicious pull request appeared highly beneficial at first glance, claiming to add new features, remove outdated configurations, and modernize the codebase.

The submission was particularly convincing because the ETHcode project had been dormant for more than six months, with its last legitimate update occurring on September 6, 2024.

Both human reviewers from the 7finney organization and GitHub’s Copilot AI reviewer examined the code and found nothing suspicious, approving the changes after requesting minor modifications.

Technical Analysis of the Two-Line Attack

Hidden within 43 commits and approximately 4,000 lines of changed code were two critical lines that would compromise the entire extension.

The first line introduced a new dependency called “keythereum-utils,” cleverly named to appear as a legitimate helper library for the existing “keythereum” package already used by the project.

This naming convention was designed to raise minimal suspicion among reviewers. The second line of malicious code invoked Node.js’s “require” function to load and execute the newly introduced dependency.

When researchers analyzed the keythereum-utils package, they discovered heavily obfuscated JavaScript code that, when deobfuscated, revealed its true purpose: spawning a hidden PowerShell process that downloads and executes a batch script from a public file-hosting service.

The attack’s effectiveness was amplified by VS Code’s automatic extension update feature, which means the malicious code was automatically distributed to nearly 6,000 users without their knowledge.

ReversingLabs researchers promptly notified Microsoft’s Visual Studio Marketplace administrators about the discovery, resulting in the complete removal of the compromised extension from the marketplace by June 26.

The extension’s author at 7finney has since issued a corrective update, with ETHcode version 0.5.1 published on July 1st, removing the malicious dependency and restoring the extension to the marketplace.

However, researchers are still investigating the second-stage payload’s exact capabilities, though given the crypto-focused nature of the target, it likely aims to steal cryptocurrency assets or compromise Ethereum smart contracts under development.

This incident highlights critical vulnerabilities in modern software development workflows.

The attack succeeded despite multiple layers of review because the Airez299 account was created specifically for this purpose on the same day as the pull request, with no previous history or activity.

The compromise demonstrates that even trusted, legitimate software can be weaponized through minimal code changes, making supply chain attacks an increasingly serious threat to the development community.

MSSP Pricing Guide: How to Cut Through the Noise and the Hidden Cost-> Get Your Free Guide