What happened
A malicious software extension distributed through the Open VSX marketplace was used to deliver malware to thousands of developer systems, according to Annex analysts. The extension impersonated an Angular Language Service package while embedding encrypted malware alongside legitimate components. When triggered, the payload decrypted itself and connected to command-and-control infrastructure hosted via the Solana blockchain. The extension remained available for approximately two weeks before being identified and removed.
Who is affected
Developers who installed the compromised extension from Open VSX are affected, particularly those who opened HTML or TypeScript files after installation.
Why CISOs should care
Compromised development tooling introduces software supply chain risk and can lead to malware execution on developer endpoints.
3 practical actions
- Audit installed Open VSX extensions. Identify and remove the malicious package.
- Investigate affected workstations. Review developer systems for signs of malware execution.
- Review extension sourcing controls. Assess how development tools are approved and distributed.