The fast-draft extension on Open VSX (KhangNghiem/fast-draft) was found to contain malicious code in versions 0.10.89, 0.10.105, 0.10.106, and 0.10.112. These versions fetch platform-specific shell scripts from a GitHub repository (BlokTrooper/extension) and execute them, deploying a four-module attack framework: a Socket.IO-based RAT with full remote desktop control, a browser and crypto wallet credential stealer targeting 25+ wallet extensions, a file exfiltration module targeting developer secrets and source code, and a clipboard surveillance module. The alternating pattern of clean and malicious releases suggests a compromised publisher account rather than a rogue maintainer. The C2 infrastructure resolves to 195.201.104.53 on ports 6931, 6936, and 6939. The latest version (0.10.135) does not contain the malicious loader. Disclosure was made to the maintainer on 2026-03-12 with no response.
Table of contents
The Smoking GunWhat The Second Stage Actually DoesModule 1: Remote Desktop RATModule 2: Browser And Wallet TheftModule 3: Document And Secret TheftModule 4: Clipboard SurveillanceThe Clean Gap MattersSort: