VS Code ETHcode Extension Hacked: Just 2 Lines of Code Led to Supply Chain Compromise Via GitHub PR
Ddos 
Researchers at ReversingLabs (RL) have uncovered a supply chain compromise of the popular ETHcode extension for Visual Studio Code, a tool widely used by Ethereum developers. The entire attack hinged on just two lines of malicious code stealthily introduced through a GitHub pull request.
“It only took two lines of code… Even legitimate software modules can be compromised by shadowy developer accounts and just a few subtle changes to a trusted code base,” RL warns.
ETHcode, maintained by a small GitHub organization called 7finney, has been available since 2022 and has nearly 6,000 installs. On June 17, a GitHub user named Airez299 submitted a pull request titled “Modernize codebase with viem integration and testing framework.”
On the surface, it seemed like a valuable contribution to a repo that hadn’t seen a commit in over six months. GitHub’s AI reviewer and the project maintainer both reviewed the PR and approved minor changes.
“At first look, Airez299’s pull request didn’t actually add malicious code to the ETHcode module’s codebase,” ReversingLabs noted. “However, amongst the 43 commits and about 4,000 lines changed, there were two lines of code that… compromised the entire project.”
The first suspicious line introduced a new dependency: keythereum-utils — a name designed to mimic keythereum, an existing dependency.
“This dependency was carefully named to raise as little suspicion as possible… adding only the -utils suffix.”
The second line was deceptively simple: a call to Node.js’s require() function that activated the malicious package.
Once triggered, the malicious code spawned a hidden PowerShell process that reached out to a public file-sharing service to download and run a second-stage batch script — the full scope of which is still under investigation.
According to RL, the GitHub user Airez299 was likely a throwaway identity created for the sole purpose of delivering the poisoned PR.
“The GitHub account Airez299 that initiated the ETHcode pull request was created on the same day… with no previous history or activity. This strongly indicates that this is a throw-away account.”
One of the most concerning elements of this incident is that VS Code automatically updates extensions by default, meaning any compromised version could silently spread malware across a developer’s environment.
“With nearly 6000 installs, ETHcode has potentially spread this malware to thousands of developer systems… depending on the lateral movement capabilities of the further payload stages.”
After RL contacted Microsoft, the malicious version of the extension was removed from the VS Code Marketplace on June 26. The original ETHcode developer later published version 0.5.1 on July 1, which removes the malicious dependency.
Related Posts:
- Docker-OSX Shut Down: Apple’s Copyright Claim Impacts macOS Containers
- Malicious VS Code Extension Masquerades as Zoom to Steal Chrome Cookies
- Developers Beware: Supply Chain Attacks Target Visual Studio Code Extensions
- Malicious VS Code Extensions Deliver Spyware, Steal Crypto Credentials
- Github launches Python security alerts
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
