Malicious Windsurf IDE Extension Exploits Solana Blockchain for Credential Theft

A new type of malware has been discovered by Bitdefender researchers, which uses the Solana blockchain as its payload infrastructure to deploy a multi-stage NodeJS stealer.

The malware is disguised as an R language support extension for Visual Studio Code and retrieves encrypted JavaScript from blockchain transactions. Once executed, it drops compiled add-ons that extract Chromium data from browsers.

The attackers used a similar name to the official legitimate extension, 'REditorSupport', in order to deceive potential victims into installing the malicious extension.