Ethcode Compromised: Over 6,000 Devs Hit by Malicious VS Code Extension
An attack on the Visual Studio Code extension known as Ethcode has compromised the security of more than 6,000 developers worldwide. The incident stemmed from the insertion of malicious code into this widely used tool, which facilitates working with smart contracts on Ethereum Virtual Machine (EVM)-compatible blockchains.
Originally released in 2022 by a developer operating under the alias 7finney, Ethcode was designed for deploying and executing Solidity contracts within the EVM ecosystem. The last legitimate update to the project was made in September 2024. However, on June 17, 2025, a pull request was submitted to the GitHub repository by a user named Airez299, proposing substantial code modifications—including integration with the viem library and a new Mocha-based testing framework.
At first glance, the updates seemed valuable, especially given the project’s long dormancy. Yet, researchers at ReversingLabs discovered that buried within more than 4,000 lines of code and 43 commits were just two malicious lines that altered the fate of the entire extension. The attacker added a dependency named keythereum-utils to the package.json file and imported it into the extension’s main TypeScript file.
The JavaScript library—later removed from the npm registry—was heavily obfuscated and embedded with a second-stage payload loader, capable of executing unknown malicious code. In total, the malicious package was downloaded 495 times. Its versions were published from now-deleted accounts: 0xlab, 0xlabss, and 1xlab. Once deobfuscated, it became clear the script launched a concealed PowerShell command that silently downloaded and executed a batch script from a public hosting service.
The suspected objective of the attack was to steal cryptocurrency assets or interfere with smart contract development workflows. Upon notification, Microsoft swiftly removed the extension from its marketplace. The project’s current maintainer, using the alias 0mkara, later confirmed that the malicious dependency had been eliminated and Ethcode was reinstated in the extension library.
The Ethcode breach is emblematic of a growing wave of software supply chain attacks. Malicious actors increasingly exploit the trust placed in public repositories like PyPI and npm to inject harmful code directly into developers’ environments. Notably, the account Airez299 was created the same day the pull request was submitted and showed no prior activity—indicating it was a throwaway identity crafted solely for the insertion of malicious code.
According to Sonatype, the second quarter of 2025 alone saw the discovery of 16,279 open-source malicious packages—a 188% increase over the same period last year. In Q1, the figure reached 17,954 incidents, with over 4,400 packages designed specifically to harvest and exfiltrate sensitive data, such as tokens and login credentials. Alarmingly, the number of packages aimed at data destruction and sabotage doubled, surpassing 400 unique cases.
Trust in open-source software is no longer a guarantee of security. Today, a single well-camouflaged commit can destabilize entire development ecosystems. This reality underscores the critical need for rigorous code review and vigilant oversight—not as best practice, but as a non-negotiable imperative.
