A dangerous malware campaign has infiltrated the Open VSX extension marketplace, compromising over 5,000 developer workstations through a fake Angular Language Service extension. <\/p>\n
The malicious package disguised itself as legitimate development tooling, bundling authentic Angular and TypeScript components alongside encrypted malware code that activates when developers open HTML or TypeScript files.<\/p>\n
The extension operated undetected for two weeks in the Open VSX marketplace, presenting itself as a trusted productivity tool for Angular developers. <\/p>\n
Once installed, it immediately began decrypting hidden payloads using AES-256-CBC encryption, establishing connections to command-and-control infrastructure hosted on the Solana blockchain. <\/p>\n
This approach provides attackers with persistent, censorship-resistant communication channels that cannot be easily taken down by security teams.<\/p>\n
Annex analysts identified<\/a> the malware after analyzing suspicious extension behavior within the Open VSX ecosystem. <\/p>\n The threat specifically targets developer credentials for NPM and GitHub, cryptocurrency wallets across 60 different platforms, and browser-stored authentication tokens. <\/p>\n Geographic filtering mechanisms prevent execution on Russian systems, suggesting the campaign originates from Russian-speaking threat groups seeking to avoid domestic prosecution.<\/p>\n The malware\u2019s capabilities extend beyond simple data theft<\/a>. It terminates browser processes to unlock database files, extracts OAuth tokens from VS Code configurations, and validates stolen credentials in real-time. <\/p>\n Exfiltrated data packages are compressed and transmitted to command servers, with backup infrastructure addresses retrieved through compromised Google Calendar links when primary channels become unavailable.<\/p>\n The malware employs a technique called \u201cEtherhiding\u201d to maintain resilient command-and-control operations through Solana<\/a> blockchain transactions. <\/p>\n After initial activation, the extension queries a specific Solana wallet address containing Base64-encoded instructions within transaction memo fields. <\/p>\n This architecture offers several advantages: blockchain immutability ensures configuration data persists indefinitely, public RPC endpoints remain highly available, and attackers can update payload URLs without modifying the published extension.<\/p>\n The Solana wallet address BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC has received 10 configuration updates over the past month, with the most recent modification occurring on January 28, 2026. <\/p>\n Each update delivers new server<\/a> addresses hosting encrypted secondary payloads, enabling attackers to adapt their infrastructure faster than defenders can respond. <\/p>\n This approach eliminates single points of failure and provides takedown resistance that traditional domain-based command systems cannot match.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Hackers Weaponized Open VSX Extension with Sophisticated Malware After Reaching 5060+ Downloads<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Angular](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgvqw7i_-ZxNb1EWKf0dVsg7lmwb8d43jRKpZGCi6dEfoeVHRwt18emv_mHS3JgbXfH-bZIYfC-UzPr1doAoDpEbV1uN4f-UEH2GFLO-IKk2udYd4lOj-N4KxYtNV7zIKAqZYLr8PwyOGmCmh1K661pCXxbiaTzJrSixronYjmlmL9CkHGqZOcl3ot7-VA\/s16000\/Angular%2520Language%2520Service%2520%28Source%2520-%2520Annex%29.webp?ssl=1\")
Blockchain-Based Command Infrastructure<\/strong><\/h2>\n
![\"Payload's](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiEFXfxArWbROAoUbw4yXD14jh8w2m85ZURf9rzFyrGXPU5M_c4ehi0zFkEp1TCKrG5Yws9HeM0ixPDFKAHug5me878p-RbBKIEobaK-ZxK6JLtxsRCqKJK9fY_qubI2Z_aFo0TXAjFHy_Vgoa3vlqCOUWrVpQnAof1wKP35fZWYRVYawj8smD0emUsQXM\/s16000\/Payload%27s%2520capabilities%2520%28Source%2520-%2520Annex%29.webp?ssl=1\")