MULTIPLE malicious Visual Studio Code extensions published by IoliteLabs—solidity-macos, solidity-windows, and solidity-linux—have been discovered targeting Solidity and Web3 developers across Windows, macOS and Linux. The extensions disguise themselves as legitimate Solidity development tools but contain obfuscated backdoor code hidden inside a weaponized pako dependency, and on activation silently download and execute remote payloads.
They establish persistence through PATH hijacking and shell configuration modifications, and communicate with command-and-control infrastructure. StepSecurity is actively investigating this incident and will publish a detailed technical analysis with IOCs, detection guidance, and remediation steps. The discovery was reported on 27 March 2026 by Ashish Kurmi.