After examining questionable extension behavior within the Open VSX ecosystem, Annex analysts discovered the malware This article explores malware threat specifically. . The threat specifically targets browser-stored authentication tokens, cryptocurrency wallets on 60 different platforms, and developer credentials for NPM and GitHub.

The campaign appears to have originated from Russian-speaking threat groups looking to evade domestic prosecution, as geographic filtering mechanisms prevent execution on Russian systems. The malware can do more than just steal data. It extracts OAuth tokens from VS Code configurations, stops browser processes to unlock database files, and instantly verifies credentials that have been stolen. Angular Language Service (Source – Annex) When primary channels are unavailable, compromised Google Calendar links are used to retrieve backup infrastructure addresses.

Exfiltrated data packages are compressed and sent to command servers.

After examining questionable extension behavior within the Open VSX ecosystem, Annex analysts discovered the malware. The threat specifically targets browser-stored authentication tokens, cryptocurrency wallets on 60 different platforms, and developer credentials for NPM and GitHub. The campaign appears to have originated from Russian-speaking threat groups looking to evade domestic prosecution, as geographic filtering mechanisms prevent execution on Russian systems.

The malware can do more than just steal data. It extracts OAuth tokens from VS Code configurations, stops browser processes to unlock database files, and instantly verifies credentials that have been stolen. Language Service for Angular (Source: Annex) When primary channels are unavailable, compromised Google Calendar links are used to retrieve backup infrastructure addresses. Exfiltrated data packages are compressed and sent to command servers.

Command Infrastructure Powered by Blockchain Through Solana blockchain transactions, the malware maintains robust command-and-control operations by using a method known as "Etherhiding." The extension queries a particular Solana wallet address that contains Base64-encoded instructions in transaction memo fields following initial activation. There are various benefits to this architecture: Blockchain immutability guarantees that configuration data is preserved forever, public RPC endpoints are always accessible, and attackers can change payload URLs without changing the published extension.

The capabilities of the payload (Source: Annex) Ten configuration updates have been made to the Solana wallet address BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC in the last month, with the most recent one taking place on January 28, 2026. Attackers are able to modify their infrastructure more quickly than defenders can react because each update provides new server addresses that host encrypted secondary payloads.

LinkedIn and X to Get More Instant Updates, Set CSN as a Preferred Source in Google This strategy removes single points of failure and offers takedown resistance that is unmatched by traditional domain-based command systems.