Malicious Windsurf IDE Extension Uses Solana Blockchain to Steal Developer Data
Do Son 
PowerShell execution and scheduled task persistence | Image: Bitdefender
Security researchers at Bitdefender have uncovered a sophisticated cyberattack targeting the developer community through a malicious extension for the Windsurf IDE. The campaign, which disguises itself as a legitimate tool for the R programming language, marks a high-tech shift in malware delivery by utilizing the Solana blockchain as its command-and-control (C2) infrastructure.
The attack begins with a fake extension designed to mimic REditorSupport, a popular and trusted extension for R language development. The malicious version is specifically tailored for the Windsurf IDE, an AI-powered environment increasingly favored by modern developers.
“There’s an official, legitimate extension named REditorSupport, which is likely why the attacker used a very similar name to confuse potential victims.”
Once installed, the extension doesn’t immediately reveal its true nature. In an effort to evade initial static analysis and automated sandbox detection, the malware remains dormant, “decrypting its payload only after installation.”
The most technically striking aspect of this campaign is the use of the Solana blockchain. Rather than reaching out to a suspicious domain or a known malicious IP address, the malware retrieves its instructions directly from blockchain transactions.
“Instead of using traditional command-and-control servers, the attackers retrieved malicious code from the Solana blockchain, which make takedown efforts significantly harder.”
This method provides the attackers with a “bulletproof” hosting environment. Because the blockchain is decentralized and immutable, security researchers cannot simply “sinkhole” a domain or request a hosting provider to remove the malicious files. The malware fetches encrypted JavaScript from these transactions and executes it using NodeJS runtime primitives.
The campaign is highly targeted and includes operational safeguards to avoid detection and geopolitical friction. Before initiating its data-harvesting phase, the malware performs a location check; “the malware checked whether the victim was in Russia and shut itself down if so.”
For victims outside the excluded regions, the infection sequence is relentless:
- Scheduled Task: The malware creates a hidden PowerShell scheduled task to ensure it survives system reboots.
- Registry Manipulation: It interacts with and then scrubs evidence from the
HKCU:\Software\Microsoft\Windows\CurrentVersion\Runregistry entry. - Final Payload: It launches a hidden
node.exebinary to run the core stealer logic.
“As a final step in establishing persistence, the script launched… the infection became self-sustaining across system reboots.”
The ultimate goal of the “Windsurf Stealer” is the total harvest of a developer’s digital identity. By deploying native .node DLLs, the malware interacts directly with Chromium-based browsers to extract saved passwords, session cookies, and sensitive financial data.
For developers, the risk is amplified. Access to a developer’s workstation often provides a “backdoor” into a company’s internal source code, API keys, and production environments, making this campaign a potent threat to the broader software supply chain.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
