Hackers have successfully weaponized a popular Open VSX extension, the ‘Angular Language Service,’ to distribute sophisticated malware that has infected over 5,000 developer workstations. The malicious extension, which mimicked a legitimate productivity tool for Angular developers, operated undetected for two weeks within the Open VSX marketplace before being flagged by security analysts.
The compromised extension operated by bundling authentic Angular and TypeScript components with encrypted malware. This hidden code would activate upon developers opening specific HTML or TypeScript files, initiating a decryption process using AES-256-CBC encryption. The malware then established covert communication channels with command-and-control (C2) infrastructure hosted on the Solana blockchain. This novel approach leverages the blockchain’s inherent immutability and resistance to censorship, making it significantly harder for security teams to dismantle.
Open VSX Extension Compromised by Advanced Malware
According to an analysis by Annex, the threat actor behind this campaign specifically targeted valuable developer credentials. This includes authentication details for NPM and GitHub, cryptocurrency wallets spanning over 60 different platforms, and sensitive browser-stored authentication tokens. The malware also appears to incorporate geographic filtering, actively avoiding execution on systems located in Russia, which suggests a potential origin from Russian-speaking threat groups seeking to evade domestic legal repercussions.
The capabilities of this malware extend beyond basic information theft. Researchers observed the malicious code terminating browser processes to gain access to encrypted database files, extracting OAuth tokens directly from VS Code configurations, and performing real-time validation of stolen credentials. Exfiltrated data is compressed and sent to C2 servers, with backup server addresses retrieved through compromised Google Calendar links when primary communication pathways are disrupted.
Blockchain-Based Command Infrastructure for Enhanced Evasion
A significant aspect of this attack is its innovative use of the Solana blockchain for command-and-control operations, a technique referred to as “Etherhiding.” Following its initial activation, the compromised extension queries a specific Solana wallet address. Encoded instructions are embedded within the memo fields of transactions associated with this wallet. This architecture offers several advantages to the attackers.
The immutability of the blockchain ensures that configuration data persists indefinitely, providing a stable and reliable source for instructions. Public RPC endpoints associated with the blockchain offer highly available communication channels. Crucially, this method allows attackers to update payload URLs and other critical C2 information without needing to modify and re-publish the malicious extension to the Open VSX marketplace, greatly enhancing their agility.
The Solana wallet address, identified as BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC, has reportedly received at least ten configuration updates over the past month. The most recent update was noted on January 28, 2026. Each update can deliver new server addresses that host encrypted secondary payloads, allowing the attackers to rapidly adapt their infrastructure in response to security efforts. This decentralized and resilient C2 infrastructure presents a formidable challenge for cybersecurity professionals attempting to neutralize the threat.
The discovery highlights the growing sophistication of malware distribution techniques and the evolving tactics employed by threat actors to target the software development ecosystem. Developers are strongly advised to review installed extensions for suspicious activity and maintain vigilance regarding the permissions and behavior of third-party tools integrated into their development environments.