Researchers at ReversingLabs uncovered a sophisticated supply chain attack compromising the ETHcode VS Code extension through a malicious GitHub pull request that introduced a deceptive dependency. This attack demonstrates the risks posed by software supply chain vulnerabilities in trusted developer tools and emphasizes the need for thorough review of new contributors and dependencies. #ETHcode #keythereum-utils #7finney
Keypoints
- ReversingLabs researchers identified a supply chain attack targeting the Ethereum-related VS Code extension ETHcode via a malicious GitHub pull request by a fake user, Airez299.
- The attacker introduced a carefully named malicious dependency, “keythereum-utils,” designed to mimic a legitimate library used by the project.
- The malicious dependency contained heavily obfuscated code that, once executed, spawned a hidden PowerShell to download and run a batch script from a public file-hosting service.
- The compromised extension was removed from the Visual Studio Marketplace after discovery, and the original developer released a cleaned version (0.5.1) without the malicious code.
- This attack bypassed automated and human code reviews by hiding malicious behavior in subtle dependency additions invoked by just two lines of code.
- VS Code’s automatic extension updates contributed to potentially widespread infection among nearly 6,000 users without their knowledge.
- ReversingLabs recommends manual verification of contributor identities, close examination of manifest files like package.json, and use of tools like Spectra Assure for detecting suspicious changes.
MITRE Techniques
- [T1195] Supply Chain Compromise – Malicious code was inserted via a GitHub pull request into the trusted ETHcode VS Code extension, allowing attackers to implant malicious dependencies. (“pull request with malicious dependency ‘keythereum-utils’ introduced subtle but dangerous code changes”)
- [T1218] Signed Binary Proxy Execution – The malicious package executed obfuscated JavaScript that spawned a hidden PowerShell process to run payload scripts. (“spawn a hidden Powershell that downloads and runs a batch script”)
- [T1105] Ingress Tool Transfer – The second-stage payload downloaded by the PowerShell script originated from a public file-hosting service. (“downloads and runs a batch script from a public file-hosting service”)
- [T1059.001] Command and Scripting Interpreter: PowerShell – The attack leveraged PowerShell to execute the downloaded batch script covertly. (“spawn a hidden Powershell that downloads and runs…”)
Indicators of Compromise
- [File Hash] ETHcode compromised VS Code extension version 0.5.0 – sha1: 8f93077e8193996fc096de359401a8e9aa6ffc7f
- [GitHub User] Malicious pull request initiator – Airez299, a newly created throw-away GitHub account with no prior activity used to submit the compromise PR
- [Dependency Name] Malicious npm package dependency introduced in the extension – keythereum-utils
Read more: https://www.reversinglabs.com/blog/malicious-pull-request-infects-vscode-extension