An angular-studio extension that looks popular.It has been discovered that ng-angular-extension is sending developers sophisticated malware This article explores installed extension attackers. . By combining legitimate dependencies like @angular/language-service and typescript, the extension offered real IntelliSense and diagnostic features while posing as a genuine "Angular Language Service" (Source: Annex.security).

Beneath the surface, though, it carried out a covert payload that stole developer credentials and depleted cryptocurrency wallets. When a developer opens any HTML or TypeScript file in Visual Studio Code, the attack vector starts. Extension/index.js is triggered by an activation event registered by the extension package.json. This file includes an encrypted loader that decrypts a long hex string using AES-256-CBC using Node.js crypto.

The loader performs a timing delay after decryption before executing eval() on the payload.

This technique grants the malicious code complete access to the host file system, Node.js modules, and the VS Code API. C2 through Solana Etherhiding The malware hides its Command and Control (C2) infrastructure using a method called "Etherhiding." The payload retrieves a particular transaction from the Solana blockchain rather than querying a conventional domain that might be blocked.

Address for Solana: BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC Mechanism: The "memo" field of the account's transactions is parsed by the malware. Payload: The Base64-encoded URL in the memo (currently hxxp://217.69.11.57/...) guides the malware to the following phase. Parsing Memos (Source: Annex.security) Because the blockchain is highly available and unchangeable, this approach provides "takedown resistance."

Without changing the installed extension, attackers can update the C2 URL by sending a fresh transaction to the address. Persistence and Geofencing Before executing the second stage, the malware performs aggressive geofencing. It compares the UTC offset, locale, and time zone of the system to Russian indicators (such as ru_RU and Europe/Moscow).

A common strategy to avoid prosecution in some jurisdictions is to immediately terminate execution if a match is discovered. The malware tracks execution timestamps by creating a hidden init.json file in the user's home directory (such as ~/.config/ on Linux or %APPDATA% on Windows). According to Annex, the final payload is a comprehensive stealer specifically made for supply chain attacks, emulating strategies used in earlier worms like Shai-Hulud.

Developer Theft: Uses git credential fill to dump GitHub passwords and scans.npmrc files for authentication tokens. It makes an effort to instantly compare these tokens to active APIs. More than 60 cryptocurrency wallets are targeted by asset theft (MetaMask, Phantom, Ledger Live).

Termination of Process: unlocks database files for cookie and password extraction by violently terminating Chrome and Firefox processes. Exfiltration: Every piece of information is compressed and sent to 108[.]61.208.161. Indicator Type Value for IOCs Context C2 IP 217.69.11[. ]57 Stage 2 Payload Delivery C2 IP 108.61.208[.

]161 Data Exfiltration Endpoint Extension ID angular-studio.Open VSX Identifier Solana Address ng-angular-extension Etherhiding Configuration Source File Path init.json BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC AppData/Config contains a hidden persistence file.