A fake VS Code extension pretending to be the Material Icon Theme was found targeting Windows and macOS users. Attackers added hidden backdoor files into the marketplace package, giving them quiet access to developer systems after installation.
The extension looked and worked like a normal icon theme, so users didn’t suspect anything. But inside, it carried two Rust-based implants that could run native code on both operating systems and connect to a remote command server.
Nextron Systems discovered these implants in version 5.29.1, tied to a loader script called extension.js in the dist/extension/desktop folder.
The malicious payloads — os.node for Windows and darwin.node for macOS — were placed inside a structure that copied the real extension’s layout, making the backdoor harder to spot.
After activation, extension.js runs the matching Rust implant and hands control to the attackers, turning the extension into a loader for further remote payloads.
Inside the Attack Chain
This part explains how the malicious implants communicate with their command server and pull additional payloads.
The Rust binaries don’t use a fixed URL. Instead, they get their instructions from data stored in a Solana blockchain wallet, making the control channel difficult to block.
A simplified version of the loader logic in extension.js looks like this:
function activate() { const bin = process.platform === "win32" ? "os.node" : "darwin.node"; const native = require(__dirname + "/desktop/" + bin); native.run(); }
Once loaded, the native code reads the data from the wallet, decodes it from Base64, and then connects to a command server. It downloads a large Base64 blob, which is actually an AES-256-CBC encrypted JavaScript file.
The attackers also use a hidden Google Calendar event—with an invisible Unicode URL—as a fallback source for the next payload, adding another layer to the C2 chain.
Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!
Leave A Comment