Malicious IoliteLabs VSCode Extensions Target Solidity Developers on Windows, macOS, and Linux with Backdoor
Three IoliteLabs VSCode extensions (solidity-macos, solidity-windows, solidity-linux) containing obfuscated backdoors targeting Solidity and Web3 developers across Windows, macOS, and Linux. The backdoors download remote payloads and establish persistence mechanisms on infected systems.
- Disclosed
- Last updated
- Blast radius
- Solidity and Web3 developers using the affected IoliteLabs VSCode extensions on Windows, macOS, and Linux
- Ecosystems
- Attack vectors
- Affected entities
- solidity-macosIoliteLabs VSCode extension
- solidity-windowsIoliteLabs VSCode extension
- solidity-linuxIoliteLabs VSCode extension
A supply chain attack has been discovered targeting Solidity and Web3 developers through three malicious VSCode extensions distributed under the IoliteLabs name. The affected extensions—solidity-macos, solidity-windows, and solidity-linux—embed obfuscated backdoor code designed to function across all major operating systems. The backdoors download remote payloads and establish persistence mechanisms on compromised machines. StepSecurity identified and disclosed the attack and indicated that a full technical analysis with indicators of compromise (IOCs) and remediation guidance would be published separately.
Indicators of compromise
- Packages
- solidity-macos
- solidity-windows
- solidity-linux
Remediation
- Immediately uninstall solidity-macos, solidity-windows, and solidity-linux VSCode extensions from all systems
- Scan systems for persistence mechanisms and remote payloads left by the backdoor
- Review system logs and network traffic for suspicious outbound connections from the backdoor
- Reset credentials and API keys used on affected systems
- Update VSCode and all extensions to the latest versions from official sources
- Monitor for indicators of compromise (IOCs) published by StepSecurity
Sources
Cite this entry
"Malicious IoliteLabs VSCode Extensions Target Solidity Developers on Windows, macOS, and Linux with Backdoor." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed April 2, 2026; last updated June 7, 2026. https://supplychainattack.org/incident/malicious-iolitelabs-vscode-extensions-target-solidity-developers-on-windows-mac-1fkfap
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- activecritical
The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave
TeamPCP conducted a multi-ecosystem supply chain compromise targeting the @antv package and associated development infrastructure. The attack leveraged GitHub, NPM, and VSCode to steal credentials and establish persistence mechanisms.
npmOtherAccount takeoverCompromised packageMalicious maintainer - containedcritical
TeamPCP Injects Two-Stage Credential Stealer into xinference PyPI Package
The xinference package on PyPI was compromised with a two-stage credential stealer attributed to the TeamPCP threat actor. The malicious code was injected into the package, potentially affecting users who installed compromised versions.
PyPICompromised packageMalicious maintainer - containedhigh
lightning: Obfuscated JavaScript Credential Stealer Bundled in PyPI Wheel
The lightning PyPI package versions 2.6.2 and 2.6.3 were compromised on April 30, 2026, containing obfuscated JavaScript code designed to steal credentials. The project's GitHub account showed signs of compromise, with suspicious responses closing vulnerability reports.
PyPICompromised packageMalicious maintainer - containedhigh
10 Layers Deep: How StepSecurity Stops TeamPCP's Trivy Supply Chain Attack on GitHub Actions
TeamPCP compromised 76 Trivy version tags on GitHub Actions in an overnight attack, followed by a similar KICS compromise using the same methodology. The attacks targeted credential exfiltration through malicious GitHub Actions.
OtherContainer registryCompromised packageAccount takeover