A widely used code editor extension, fast-draft, found on the Open VSX registry, was discovered to harbor malicious code. This hidden malware silently deployed a remote access trojan (RAT) and a comprehensive infostealer onto unsuspecting developer workstations. The compromised extension, published under the KhangNghiem account, had amassed over 26,000 downloads before the malicious activity spanning several specific releases was brought to light.
The attack campaign utilized a calculated pattern across particular versions of the extension. Releases 0.10.89, 0.10.105, 0.10.106, and 0.10.112 contained embedded code that connected to a GitHub repository controlled by a threat actor identified as BlokTrooper. The extension then fetched platform-specific shell scripts from raw.githubusercontent[.]com/BlokTrooper/extension and immediately piped the downloaded content into a system shell. This process resulted in the automatic download and execution of a full second-stage malware payload on the affected victim machines, according to analysis.
Inside the Backdoored Open VSX Extension Attack
Aikido security analysts identified the compromised extension during a meticulous, version-by-version manual review of the fast-draft release lineage. The malicious activity was not present in other releases, such as 0.10.88, 0.10.111, and the latest version 0.10.135, suggesting a potential compromise of the publisher’s account or a stolen release token rather than a deliberate malicious act by the maintainer. The team disclosed the findings to the extension’s maintainer on March 12, 2026, via a public GitHub issue, but had received no response at the time of publication.
The ramifications of this supply chain attack are significant. Developers who had installed one of the affected versions inadvertently granted the attacker extensive control over their machines. The subsequent malware payload deployed four independent attack modules concurrently, targeting sensitive data stored by browsers, cryptocurrency wallets, local files, source code repositories, and clipboard contents. With over 26,594 downloads from the Open VSX registry, the potential exposure among open-source developers and software development teams globally is substantial.
The broader danger lies in the malware’s stealthy integration into a tool developers readily trust for their daily workflow. Code editor extensions often possess broad system permissions, making them an attractive target for supply chain attacks. The observed pattern of alternating clean and malicious versions strongly indicates intermittent access to the publisher’s release pipeline, a scenario that automated security scanning might miss without thorough manual investigation.
Second-Stage Attack Framework Details
Upon execution, the shell downloader retrieved a ZIP archive from the attacker’s infrastructure. This archive was then extracted to a temporary directory, and four detached Node.js processes were initiated. Each process was responsible for a distinct component of the overall malicious operation.
The first module established a connection to a command-and-control (C2) server located at 195[.]201[.]104[.]53 on port 6931, utilizing Socket.IO. This connection enabled the attacker to remotely control mouse movements, keyboard inputs, capture screenshots, and read clipboard data in real-time.
The second module systematically scanned browser profiles across popular web browsers—Chrome, Edge, Brave, and Opera—on Windows, macOS, and Linux systems. It exfiltrated saved passwords and web data. Additionally, it targeted 25 different cryptocurrency wallet extensions, including prominent ones like MetaMask, Phantom, Coinbase Wallet, and Trust Wallet, uploading the collected sensitive information to port 6936 on the same C2 server.
The third module performed a recursive scan of the user’s home directory, searching for documents, environment files, private keys, shell history, and source code. Notably, it deliberately excluded specific folders, such as .cursor, .claude, and .windsurf, indicating an intent to target high-value data associated with AI-assisted developer environments.
The fourth module continuously monitored the system clipboard at short intervals. Any captured content, including cryptocurrency seed phrases, API keys, and passwords, was directly transmitted to the /api/service/makelog endpoint on the attacker’s C2 server.
Developers are strongly advised to immediately check their systems for any installed versions of fast-draft corresponding to 0.10.89, 0.10.105, 0.10.106, or 0.10.112 and remove them without delay. Following this, all stored credentials, cryptocurrency wallet seed phrases, and API keys on potentially affected machines should be promptly rotated. Network security teams should implement blocks and monitoring for all outbound traffic to 195[.]201[.]104[.]53 on ports 6931, 6936, and 6939. Additionally, any requests to raw.githubusercontent[.]com/BlokTrooper should be flagged in network logs for further investigation.