Malicious Windsurf IDE Extension Uses Solana Blockchain to Steal Developer Credentials

Malicious Windsurf IDE Extension Uses Solana Blockchain to Steal Developer Credentials

First seen 19 Mar 2026, 06:26 UTC BitdefenderSecuritybrief.AuScworld 86% similarity 69.5

Article Content

Browse articles
ThreatCluster

Bitdefender researchers have uncovered a malicious extension for the Windsurf IDE that deploys a multi-stage NodeJS stealer via the Solana blockchain. Disguised as a legitimate R language support tool for Visual Studio Code, the extension named reditorsupporter.r-vscode-2.8.8-universal retrieves encrypted JavaScript from blockchain transactions to execute malicious payloads. The attack was initiated when a user unknowingly installed the extension, which was flagged by endpoint detection alerts linked to windsurf.exe. The malware collects sensitive data from Chromium-based browsers and checks for Russian indicators to avoid detection. A hidden Windows scheduled task ensures persistence across reboots. This attack specifically targets developer environments, where high-value credentials and tokens may be stored. The use of the Solana blockchain complicates takedown efforts and reduces reliance on conventional command-and-control infrastructure. Bitdefender advises developers to verify extensions and monitor for unusual activity.

Key Points: • Malicious Windsurf IDE extension masquerades as a legitimate R language tool. • The malware uses Solana blockchain transactions to deliver payloads, complicating detection. • Targets developer environments, potentially exposing sensitive credentials and tokens.

ThreatCluster AI

Timeline

2026-03-18
Bitdefender publishes findings on malicious Windsurf IDE extension.
2026-03-19
Securitybrief.Au reports on the same malicious extension.

Community

Browse all →