Malicious IDE Extension Uses Solana Blockchain to Steal Developer Credentials

Bitdefender researchers have uncovered a malicious extension targeting the Windsurf integrated development environment (IDE) that uses the Solana blockchain to deliver malware designed to steal sensitive data from developers. The campaign disguises the extension as a tool for R language development inside Visual Studio Code–compatible environments. Once installed, it deploys a multi-stage NodeJS information stealer […]

Crypto, Blockchain, and Quantum | Security Awareness | Security Operations | Threat Intelligence

Posted: Thursday, Mar 19

KBI.Media
$
Malicious IDE Extension Uses Solana Blockchain to Steal Developer Credentials

Malicious IDE Extension Uses Solana Blockchain to Steal Developer Credentials

Bitdefender researchers have uncovered a malicious extension targeting the Windsurf integrated development environment (IDE) that uses the Solana blockchain to deliver malware designed to steal sensitive data from developers.

The campaign disguises the extension as a tool for R language development inside Visual Studio Code–compatible environments. Once installed, it deploys a multi-stage NodeJS information stealer capable of extracting browser credentials, session cookies, and other sensitive data from Chromium-based browsers.

Researchers discovered the threat after Bitdefender Endpoint Detection and Response (EDR) alerts flagged suspicious activity linked to windsurf.exe on a corporate workstation. The user had installed what appeared to be a legitimate R development extension named reditorsupporter.r-vscode-2.8.8-universal, closely resembling the legitimate REditorSupport extension.

Once installed, the extension conceals its true functionality through encrypted JavaScript code that decrypts only after installation. The decrypted loader then retrieves additional malicious payloads embedded within Solana blockchain transactions, allowing attackers to bypass traditional command-and-control infrastructure and making takedown efforts significantly more difficult.

The malware performs a series of environment checks before executing its payload. These checks include gathering system information, examining locale and timezone data, and determining whether the infected system is located in Russia. If Russian indicators are detected, the malware terminates its execution.

According to Bitdefender researchers, the attack demonstrates how cybercriminals are increasingly exploiting trusted development environments and decentralized technologies to evade detection.

Key Findings From the Investigation

A fake R language extension distributed through the Windsurf IDE environment initiates the malware infection.
The extension hides its malicious code until after installation to avoid detection.
Instead of traditional command-and-control servers, attackers retrieve payloads directly from the Solana blockchain.
The malware targets developer environments to access high-value assets such as API keys and credentials.
Persistence is maintained through a hidden Windows scheduled task that relaunches the malware via a bundled NodeJS runtime.

As developers often have privileged access to systems, credentials, and API keys, targeting developers increases the attackers’ chances of accessing privileged environments, intellectual property, and sensitive credentials that can enable broader supply chain compromises.

Bitdefender advises developers and organisations to carefully verify extensions before installation, limit permissions granted to development tools, and monitor developer environments for unusual activity. Security teams should also enforce strict extension governance policies and deploy endpoint detection solutions capable of identifying malicious behaviour inside trusted software ecosystems.

As development platforms and blockchain infrastructure become more widely adopted, researchers expect threat actors to increasingly experiment with unconventional delivery mechanisms designed to bypass traditional security controls.