In a recent cybersecurity incident, researchers have identified a supply chain attack targeting the Ethcode extension for Microsoft Visual Studio Code (VS Code). This extension, designed for deploying and executing Solidity smart contracts on Ethereum Virtual Machine (EVM)-based blockchains, has been installed by over 6,000 developers.
The Attack Vector
The breach originated from a GitHub pull request submitted by a user named Airez299 on June 17, 2025. This user proposed modernizing the codebase by integrating the ‘viem’ library and adding a new testing framework. While these changes appeared beneficial, they concealed malicious code within the extensive updates.
Malicious Code Injection
The attacker introduced a new npm dependency named keythereum-utils into the project’s package.json file and imported it into the extension’s TypeScript file. This package, now removed from the npm registry, contained obfuscated code designed to download and execute a secondary payload via a hidden PowerShell script. The exact nature of this payload remains unknown, but it is suspected to be malware aimed at stealing cryptocurrency assets or compromising smart contracts developed using the extension.
Discovery and Response
ReversingLabs, a supply chain security firm, discovered the malicious code and reported it to Microsoft. Consequently, the Ethcode extension was temporarily removed from the VS Code Extensions Marketplace. Following the removal of the malicious dependency, the extension has been reinstated.
Implications for Developers
This incident underscores the growing threat of software supply chain attacks, where public repositories are exploited to distribute malware directly into developer environments. Developers are advised to exercise caution when integrating third-party dependencies and to conduct thorough reviews of code contributions, especially from new or unverified contributors.
