A sophisticated supply chain attack has compromised ETHcode, a popular Visual Studio Code extension for Ethereum development, through a malicious GitHub pull request that required just two lines of code to weaponize the trusted software. The attack, discovered by ReversingLabs researchers, demonstrates how threat actors can infiltrate legitimate development tools with minimal code changes, potentially affecting thousands of cryptocurrency developers worldwide. ETHcode, developed by 7finney organization, is a legitimate VS Code extension with nearly 6,000 user installations that enables Ethereum developers to test, debug, and deploy smart contracts across EVM-based blockchains. The compromise demonstrates that even trusted, legitimate software can be weaponized through minimal code changes, making supply chain attacks an increasingly serious threat to the development community. When researchers analyzed the keythereum-utils package, they discovered heavily obfuscated JavaScript code that, when deobfuscated, revealed its true purpose: spawning a hidden PowerShell process that downloads and executes a batch script from a public file-hosting service. The extension’s author at 7finney has since issued a corrective update, with ETHcode version 0.5.1 published on July 1st, removing the malicious dependency and restoring the extension to the marketplace. The attack’s effectiveness was amplified by VS Code’s automatic extension update feature, which means the malicious code was automatically distributed to nearly 6,000 users without their knowledge. However, researchers are still investigating the second-stage payload’s exact capabilities, though given the crypto-focused nature of the target, it likely aims to steal cryptocurrency assets or compromise Ethereum smart contracts under development. The second line of malicious code invoked Node.js’s “require” function to load and execute the newly introduced dependency.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 09 Jul 2025 13:35:24 +0000