← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Malicious IoliteLabs VSCode Extensions Target Solidity Developers on Windows, macOS, and Linux with Backdoor
WHITE PetrP.73 2026-03-29 Modified: 2026-03-29
22
IOCs
MEDIUM VOLUME
StepSecurity's analysis reveals a significant supply chain attack targeting Solidity developers through compromised Visual Studio Code (VSCode) extensions published by IoliteLabs. The affected extensions—solidity-macos, solidity-windows, and solidity-linux, were abruptly updated to version 0.1.8 on March 25, 2026, after being dormant since 2018. Each extension contains a multi-stage backdoor that silently activates on every startup of VSCode, downloading platform-specific payloads from attacker-controlled domains.
windowsmarketplaceapple siliconvscodemarchvs codelinuxvscode startupvscode launchappdataguardmacospythonbypassstage-1 windowsteampcp
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (1 / 22 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 67f51fd22786e2ac0162903e742a6770 MD5 of e7ec4e35d94d01a2e4ee5dca62b8fb08ac7411596edb54b398651f4eb563561d 2026-03-29
References (1)
↗ https://www.stepsecurity.io/blog/malicious-iolitelabs-vscode-extensions-target-solidity-developers-on-windows-macos-and-linux-with-backdoor