Backdoored Open VSX Extension Used GitHub Downloader to Install RAT and Stealer

A well-known code editor extension on the Open VSX registry was found to have hidden malware that quietly downloads and runs a remote access trojan (RAT) and a full infostealer on developer machines without any visible warning This article explores second stage malware. . The extension, which was published by KhangNghiem and called "fast-draft," had been downloaded more than 26,000 times before the harmful activity hidden in some of its releases was discovered.

The attack happened in a planned way across certain version releases. Versions 0.10.89, 0.10.105, 0.10.106, and 0.10.112 all had code that connected to a GitHub repository run by a threat actor called BlokTrooper.

The extension got platform-specific shell scripts straight from raw.githubusercontent[. ]com/BlokTrooper/extension and sent the whole response to a system shell. The system shell then downloaded and ran a full second-stage malware payload on the victim's machine.

Network teams should stop and keep an eye on all traffic going out to 195[.]201[.]104[. ]53 on ports 6931, 6936, and 6939. They should also mark any requests to raw.githubusercontent[. ]com/BlokTrooper in network logs.

To get more instant updates, follow ZeroOwl on LinkedIn and X.