Securitybrief.Au
Malicious Windsurf IDE Extension Uses Solana Blockchain to Steal Developer Credentials
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
Bitdefender researchers have uncovered a malicious extension for the Windsurf IDE that deploys a multi-stage NodeJS stealer via the Solana blockchain. Disguised as a legitimate R language support tool for Visual Studio Code, the extension named reditorsupporter.r-vscode-2.8.8-universal retrieves encrypted JavaScript from blockchain transactions to execute malicious payloads. The attack was initiated when a user unknowingly installed the extension, which was flagged by endpoint detection alerts linked to windsurf.exe. The malware collects sensitive data from Chromium-based browsers and checks for Russian indicators to avoid detection. A hidden Windows scheduled task ensures persistence across reboots. This attack specifically targets developer environments, where high-value credentials and tokens may be stored. The use of the Solana blockchain complicates takedown efforts and reduces reliance on conventional command-and-control infrastructure. Bitdefender advises developers to verify extensions and monitor for unusual activity.
Key Points: • Malicious Windsurf IDE extension masquerades as a legitimate R language tool. • The malware uses Solana blockchain transactions to deliver payloads, complicating detection. • Targets developer environments, potentially exposing sensitive credentials and tokens.