A recent cybersecurity incident has uncovered a malicious payload within a widely used code editor extension listed on the Open VSX registry. This extension, named fast-draft under the KhangNghiem publisher, secretly deployed a remote access trojan (RAT) and an information-stealing software onto developer systems, going unnoticed until recently.
Discovery and Spread of Malicious Versions
The compromised extension had amassed over 26,000 downloads before the hidden threats embedded within specific versions were identified. Versions 0.10.89, 0.10.105, 0.10.106, and 0.10.112 were found to contain harmful code that interacted with a malicious GitHub repository operated by an entity known as BlokTrooper.
These versions fetched shell scripts from the repository at raw.githubusercontent[.]com/BlokTrooper/extension, executing them directly on the affected systems. This led to the deployment and execution of a more comprehensive malware payload. Notably, other versions like 0.10.88, 0.10.111, and 0.10.135 did not exhibit such behavior, indicating a likely breach of the publisher’s release credentials.
Analysis of the Attack’s Impact
Security experts from Aikido carried out a detailed review of the fast-draft version history, uncovering the malicious activity. Despite notifying the extension’s maintainer on March 12, 2026, via a public GitHub issue, no response was recorded at the time of reporting.
The consequences of this breach are severe. Developers with compromised versions installed inadvertently permitted attackers to gain complete control over their systems. The malware’s secondary payload executed multiple attack modules simultaneously, targeting browser credentials, cryptocurrency wallets, local files, source code, and clipboard contents.
Technical Overview of the Second-Stage Attack
Upon execution, the malware downloaded a ZIP file, extracted it, and launched several Node.js processes, each focusing on different attack vectors. The first module provided attackers with real-time control over the victim’s device, while the second targeted browsers like Chrome and Edge, extracting saved passwords and cryptocurrency wallet data.
A third module scanned user directories for sensitive documents and source codes, bypassing known AI-assisted development environments. The final component monitored clipboard data, capturing and transmitting sensitive information like seed phrases and API keys to the attacker’s server.
Developers are advised to check for and remove any affected versions of fast-draft immediately. It is crucial to rotate all credentials and keys stored on impacted systems. Network administrators should block traffic to the IP 195[.]201[.]104[.]53 and monitor for any suspicious activity linked to BlokTrooper’s GitHub repository.
