Listen to this Post
The cybersecurity landscape is once again shaken by a highly sophisticated supply-chain attack targeting developers using the Windsurf IDE. A fake “R support” extension was discovered delivering a multi-stage NodeJS-based stealer embedded with encrypted payloads hosted via the Solana blockchain. The malware specifically targets Chromium-based browser credentials while establishing persistence through a hidden PowerShell scheduled task. This campaign highlights how threat actors are increasingly blending legitimate-looking developer tools with blockchain-based obfuscation techniques to evade detection. At the same time, parallel threat intelligence reports show that groups like Agent Tesla are continuing long-running credential theft campaigns across LATAM, using phishing lures and advanced process injection methods. Together, these incidents reflect a rapidly evolving cyber threat ecosystem where attackers are leveraging both traditional malware tactics and emerging decentralized infrastructure to maximize stealth, persistence, and data exfiltration efficiency.
the Original Incident (Expanded Overview)
The report reveals a dangerous fake extension masquerading as an R programming support tool inside the Windsurf IDE ecosystem, designed to deceive developers into installing it under the assumption of productivity enhancement
Once installed, the extension triggers a multi-stage infection chain that deploys a NodeJS-based stealer capable of harvesting sensitive system and browser data
The malware uses encrypted payloads stored on the Solana blockchain, making traditional detection and takedown significantly more difficult
The primary targets include Chromium-based browser credentials, session tokens, and saved login information
The attack also establishes persistence through a hidden PowerShell scheduled task, ensuring long-term system access
This technique allows attackers to silently maintain control even after system reboots or partial cleanup attempts
The campaign demonstrates a clear supply-chain compromise strategy, where trusted developer environments are weaponized
Alongside this, related intelligence highlights Agent Tesla’s continued activity in LATAM regions, particularly Chile
That campaign spans over 18 months and uses procurement-themed phishing emails to lure enterprise victims
Agent Tesla relies on process hollowing techniques to inject malicious code into legitimate system processes
It exfiltrates stolen credentials via FTP channels to attacker-controlled servers
The combined reports illustrate how cybercriminal ecosystems are diversifying both their delivery methods and infrastructure
Developers and enterprise users are increasingly becoming prime targets due to access to high-value credentials and internal systems
The use of blockchain for payload hosting represents a growing trend in malware concealment strategies
Overall, the incident signals a convergence of social engineering, advanced malware engineering, and decentralized infrastructure abuse
What Undercode Says:
Supply Chain Infiltration as the New Default Attack Vector
The fake R extension demonstrates how attackers now prioritize developer ecosystems over traditional end-user targeting
By embedding malicious code inside IDE extensions, threat actors gain privileged access to highly trusted environments
This approach reduces the need for brute-force intrusion techniques and increases infection success rates
Developers unknowingly become initial access brokers into enterprise systems
The reliance on open extension ecosystems creates an expanded attack surface that is still poorly regulated
Blockchain-Based Payload Hosting Changes Detection Dynamics
Using Solana as a payload distribution layer marks a shift toward decentralized malware infrastructure
Blockchain storage complicates takedown efforts due to distributed and immutable data structures
Security tools struggle to differentiate between legitimate and malicious on-chain data calls
This method also enables attackers to rotate payload references without changing core malware logic
As a result, traditional signature-based detection becomes increasingly ineffective
Multi-Stage NodeJS Stealer Enhances Operational Stealth
The NodeJS-based architecture allows cross-platform execution with minimal friction
Multi-stage execution delays payload activation, bypassing sandbox detection mechanisms
Encrypted delivery ensures that static analysis yields limited intelligence
Chromium credential targeting remains highly profitable due to session persistence and stored tokens
This makes browser ecosystems a consistent high-value target in modern cybercrime campaigns
Persistence via Hidden PowerShell Tasks Strengthens Control
The use of hidden scheduled PowerShell tasks ensures malware survival after reboot cycles
PowerShell remains a favored tool due to its deep integration into Windows environments
Attackers leverage native system utilities to reduce forensic footprints
This technique blends malicious activity with legitimate system operations
It significantly complicates endpoint detection and response workflows
Agent Tesla Campaign Shows Long-Term Enterprise Exploitation
The Agent Tesla operation in LATAM highlights sustained credential theft operations over extended periods
Procurement-themed phishing emails exploit organizational trust structures
Process hollowing allows malicious code to hide inside legitimate processes
FTP-based exfiltration remains simple yet effective for bulk data theft
This reinforces that even older malware families continue to evolve operationally rather than being replaced
Fact Checker Results
Agent Tesla remains an active credential stealer used in multiple global phishing campaigns targeting enterprises
Blockchain-based malware hosting has been observed in emerging cybercrime tactics but is still relatively uncommon
Supply-chain attacks via IDE extensions are a confirmed and growing risk in developer ecosystems
Prediction
Cybersecurity threats will increasingly integrate blockchain infrastructure to obscure command-and-control operations
Developer tools and IDE marketplaces will become primary battlegrounds for supply-chain compromises
Credential theft campaigns like Agent Tesla will evolve further into hybrid malware ecosystems combining legacy and modern techniques
🕵️📝Let’s dive deep and fact‑check.
References:
Reported By: x.com
Extra Source Hub (Possible Sources for article):
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
