Three dormant IoliteLabs VSCode extensions for Solidity development (solidity-macos, solidity-windows, solidity-linux) were simultaneously updated to version 0.1.8 on March 25, 2026, after eight years of inactivity. The update contained a multi-stage backdoor hidden inside a tampered copy of the pako npm dependency rather than the extension entry point. Five obfuscation techniques were used including Unicode escaping, string reversal, XOR junk variables, bracket notation, and dependency hiding. On Windows, a Chrome-impersonating MSI installs a hook-based DLL for input monitoring. On macOS, architecture-aware binaries (Intel and Apple Silicon) are deployed with LaunchAgent persistence and Gatekeeper bypass. Three separate C2 domains provide operational resilience. Solidity developers are high-value targets due to wallet private keys, seed phrases, and deployment credentials on their machines. Remediation steps include uninstalling the extensions, removing persistence artifacts, and rotating all credentials if the extension ran after March 25, 2026.
Table of contents
SummaryAttack OverviewThe Dormant Publisher HijackTechnical Injection: Hiding in the Dependency, Not the Entry PointThe Complete Attack ChainStage 1 (Windows): calc.bat - String-Split ObfuscationStage 2 (Windows): 7WhiteSmoke.msi - Chrome ImpersonationStage 1 (macOS): doc.sh - Three-Phase Persistence EngineStage 2 (macOS): Architecture-Aware BinariesInfrastructure MapWhy Solidity Developers Are High-Value TargetsObfuscation Techniques: Side-by-Side ComparisonComparing v0.1.8 to Legitimate VersionsIndicators of Compromise (IoC)RemediationHow to Know If You Are ImpactedFor StepSecurity Enterprise CustomersBroader Lessons for the Developer CommunityConclusionReferencesSort: