• Home
  • cyber
  • Solana and Windurf IDE: Fake Windsurf IDE Extension Uses Solana Blockchain to Steal Developer Data
cyber Cyber Attack

Solana and Windurf IDE: Fake Windsurf IDE Extension Uses Solana Blockchain to Steal Developer Data

Mar 19, 2026 2 min read
Solana and Windurf IDE: Fake Windsurf IDE Extension Uses Solana Blockchain to Steal Developer Data

Malicious VS Code Extension Targets Developers via Solana Blockchain

Cybersecurity researchers at Bitdefender have uncovered a sophisticated attack targeting developers through a malicious extension for the Windurf IDE, a popular coding environment. The threat disguises itself as a legitimate tool for the R programming language, using the filename reditorsupporter.r-vscode-2.8.8-universal a near-identical mimic of the trusted REditorSupport extension.

Once installed, the malware leverages an unconventional command-and-control (C2) method: the Solana blockchain. Instead of relying on traditional servers, it retrieves encrypted JavaScript payloads from transactions on the Solana network, making detection and blocking more difficult. The malware then deploys files like w.node and c_x64.node to execute data theft.

The attack is highly selective, performing system profiling to avoid infecting users in Russia likely to evade local law enforcement. For non-Russian targets, it steals passwords and session cookies from browsers like Google Chrome. To maintain persistence, it creates a hidden PowerShell task (UpdateApp) that reactivates the malware on system startup, ensuring continued access even if the IDE is closed.

The campaign specifically targets developers due to their access to high-value credentials, such as API keys, which could grant attackers deeper access to corporate networks. The discovery highlights the growing risk of supply-chain attacks via trusted development tools.

Source: https://hackread.com/windsurf-ide-extension-solana-blockchain-developer-data/

Codeium cybersecurity rating report: https://www.rankiteo.com/company/windsurf123321

Solana cybersecurity rating report: https://www.rankiteo.com/company/solana

"id": "WINSOL1773923036",
"linkid": "windsurf123321, solana",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"
{'affected_entities': [{'industry': 'Technology, Software Development',
                        'location': 'Global (Excluding Russia)',
                        'type': 'Developers'}],
 'attack_vector': 'Malicious IDE Extension',
 'data_breach': {'data_exfiltration': 'Yes',
                 'personally_identifiable_information': 'Session Cookies',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Passwords',
                                              'Session Cookies',
                                              'API Keys']},
 'description': 'Cybersecurity researchers at Bitdefender uncovered a '
                'sophisticated attack targeting developers through a malicious '
                'extension for the Windurf IDE, disguising itself as a '
                'legitimate tool for the R programming language. The malware '
                'retrieves encrypted JavaScript payloads from transactions on '
                'the Solana blockchain and deploys files to execute data '
                'theft, specifically targeting developers to steal high-value '
                'credentials like API keys.',
 'impact': {'data_compromised': 'Passwords, Session Cookies, API Keys',
            'identity_theft_risk': 'High',
            'operational_impact': 'Potential Unauthorized Access to Corporate '
                                  'Networks',
            'systems_affected': 'Developer Workstations'},
 'initial_access_broker': {'backdoors_established': 'PowerShell Task '
                                                    '(UpdateApp)',
                           'entry_point': 'Malicious IDE Extension',
                           'high_value_targets': 'Developers with Access to '
                                                 'API Keys'},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'Growing risk of supply-chain attacks via trusted '
                    'development tools; need for enhanced scrutiny of IDE '
                    'extensions and unconventional C2 methods like blockchain '
                    'transactions.',
 'motivation': 'Data Theft, Credential Harvesting',
 'post_incident_analysis': {'corrective_actions': 'Enhanced extension '
                                                  'verification, monitoring of '
                                                  'blockchain transactions for '
                                                  'C2 activity, and disabling '
                                                  'unauthorized PowerShell '
                                                  'tasks.',
                            'root_causes': 'Lack of verification for IDE '
                                           'extensions, unconventional C2 '
                                           'infrastructure (Solana '
                                           'blockchain), and persistence '
                                           'mechanisms (PowerShell task).'},
 'recommendations': 'Developers should verify the authenticity of IDE '
                    'extensions, monitor for unusual blockchain transactions, '
                    'and implement multi-factor authentication for sensitive '
                    'credentials.',
 'references': [{'source': 'Bitdefender'}],
 'response': {'third_party_assistance': 'Bitdefender'},
 'title': 'Malicious VS Code Extension Targets Developers via Solana '
          'Blockchain',
 'type': 'Supply-Chain Attack'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.