BITDEFENDER researchers have identified a malicious Windsurf IDE extension that deploys a NodeJS stealer by leveraging the Solana blockchain. Disguised as an R language support tool, it retrieves encrypted JavaScript from blockchain transactions, executes it, and captures sensitive data from Chromium browsers. The malware targets developers, avoids detection by checking for Russian systems, and creates a hidden PowerShell scheduled task for persistence.
Key points include the use of decentralized infrastructure for malicious commands, intricate dynamic execution without sandbox restrictions, and the deployment of credential-stealing modules, exemplifying a shift in attack strategies towards trusted development environments.