Two-Line Code Breach in VS Code Extension Triggers Weaponized Supply Chain Attack

In a stark reminder of the ever-evolving threats to software repositories, researchers at ReversingLabs (RL) have unveiled a sophisticated supply chain attack that compromised the popular ETHcode extension for Visual Studio Code (VS Code), potentially impacting thousands of Ethereum developers.

The incident, detected in late June 2025, highlights the vulnerability of even legitimate, widely trusted open-source tools to subtle yet destructive exploits.

Stealthy Attack via a Simple Pull Request

The ETHcode extension, maintained by the small developer group 7finney, has been a staple for nearly 6,000 Ethereum developers since its 2022 launch, streamlining innovative contract development and deployment.

The breach occurred when a newly created GitHub account, “Airez299,” submitted a seemingly innocuous pull request on June 17 titled “Modernize codebase with viem integration and testing framework.”

Under the guise of helpful updates, the attacker inserted just two lines of code among 4,000 changes that introduced a new, malicious dependency, “keythereum-utils,” and invoked its execution via a simple require statement.

What made this attack particularly insidious was the execution: rather than directly injecting malicious code, the attacker introduced an obfuscated npm package cleverly named to mimic a legitimate dependency.

Initial code reviews, including those using GitHub’s AI-powered Copilot, failed to flag the change, highlighting the difficulty even seasoned maintainers face in detecting such subtle threats.

Downloaded Malware with Crypto in the Crosshairs

Upon deeper inspection and deobfuscation of “keythereum-utils,” RL analysts discovered that the package spawned a hidden PowerShell process, which downloaded and executed a batch script from an external file-hosting service.

While the full payload is still under investigation, experts suspect that the malware aimed to steal crypto assets or compromise smart contracts under development, given the extension’s developer-centric audience.

This attack model, leveraging both typosquatting and dependency confusion, demonstrates a marked progression from opportunistic imitations to well-camouflaged, targeted exploits.

With VS Code’s auto-update feature, the malware may have silently reached the majority of the extension’s installed base.

Lessons for Developers: Vigilance and Verification

The ETHcode breach serves as a wake-up call for the open-source and cryptocurrency development communities.

It demonstrates how just two overlooked lines can subvert a trusted tool, making diligent review of all dependencies, especially those added via pull requests, critical.

RL recommends manual verification of new contributors, vigilant review of manifest files like package.json, and the use of advanced threat detection tools.

Luckily, RL’s prompt reporting led to the removal of the compromised extension and the release of a clean version (0.5.1) by July 1st, 2025.

The attack remains under investigation, but one lesson is clear: in the modern software supply chain, trust must always be verified, down to the very last line of code.

IOCs