The first step involved a PowerShell command that downloaded two main payloads: a browser extension and an executable file named myau.exe. These were designed to steal sensitive data, especially cryptocurrency wallet credentials, and to keep the malware active even after reboots.

This attack is a strong reminder that even trusted platforms like the VS Code Marketplace can be misused by attackers. Developers often install extensions to boost productivity, but these tools can silently turn into serious threats if not properly reviewed. Once infected, attackers can spy on your activity, steal sensitive files, and gain control over your development environment. This is especially dangerous for blockchain and crypto developers, where stolen credentials can result in major financial loss. Staying cautious and security-aware is essential even during routine coding work.

The malware used advanced evasion techniques. It disabled Windows Defender, added firewall rules to block Microsoft’s security services, and even crashed the system if someone tried to stop it. One payload was hidden inside an image file to bypass detection. The final stage of the attack involved a tool that stole information from apps like Chrome, Brave, Discord, and others.

Even though these extensions had fewer than 50 installs before Microsoft removed them, the attack shows how risky it can be to blindly trust browser-based tools and extensions in developer environments.

Impact

• Data Theft
• Financial Loss

Indicators of Compromise

Domain Name

• solidity.bot

MD5

• 3fcf6a47d9fa4b252898a0afbfbb57a8

• c3c7178b225242af3978c4aa2acac19c

• c514e59054f1eb03290e7a44f21e4016

SHA-256

• c5c0228a1e0ba2bb748219325f66acf17078a26165b45728d8e98150377aa068

• a1eadd41327bd8736e275627d3953944fe7089c032d72a3e429ff18ad0958ada

• c3684164933c3f54d5b0b242a8a906a85d633de479079a820bb804c0f73c0f58

SHA1

• 1778838e8a209a9ec0b7eeeb34991f362c557bf7

• 5243c5afea7b7c4609846f0ce4d417ba641e65a2

• e161c437495f39185d2c4444a218c335255f5618

URL

• https://m-vn.ws/bird.php
• https://myaunet.su
• http://paste.ee/d/0ykW3Z2K/0
• https://archive.org/download/new_image_20250509_1852/new_image.jpg
• https://begalinokotobananinotrippitroppacrocofanclub.su/m

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Uninstall any of these extensions if installed: solaibot, among-eth, blankebesxstnion
• Run a full antivirus scan and check for suspicious processes like myau.exe or myaunet.exe
• Re-enable Windows Defender if disabled
• Check your browser for unknown extensions and remove them
• Change passwords for crypto wallets, developer tools, and any linked accounts
• Download VS Code extensions only from trusted authors with verified profiles
• Use endpoint protection that monitors script and PowerShell abuse