Fake Windsurf extension uses Solana to steal dev data

Bitdefender researchers have identified a malicious extension that targeted the Windsurf integrated development environment (IDE) and used the Solana blockchain to deliver malware designed to steal developer credentials.

The extension posed as a tool for R language development in Visual Studio Code-compatible environments. The sample Bitdefender analysed was named reditorsupporter.r-vscode-2.8.8-universal and closely resembled the legitimate REditorSupport extension.

Researchers began tracing the activity after endpoint detection alerts flagged suspicious behaviour involving windsurf.exe on a corporate workstation. The user had installed the extension believing it was legitimate.

Extension masquerade

The attack chain started after installation. The package hid its functionality in encrypted JavaScript that decrypted only after being installed, reducing the chance of detection during download or initial code review.

After decryption, the loader pulled in additional malicious components. Investigators found the attacker had stored these payloads in Solana blockchain transactions, which the loader retrieved directly instead of contacting a conventional command-and-control server.

Using a public blockchain as a distribution mechanism changes a campaign’s operational footprint. It reduces reliance on attacker-controlled infrastructure that defenders can seize or block and complicates takedown efforts because the data remains accessible through the network.

Information theft

Bitdefender described the malware as a multi-stage NodeJS information stealer targeting data stored in Chromium-based browsers, including saved passwords, session cookies, and other sensitive information.

The campaign focused on developer environments, where privileged credentials and access tokens are often present. Development machines commonly store API keys for cloud services, credentials for internal systems, and sessions for administrative consoles. Losing access to these assets can extend the impact beyond a single workstation.

Before executing, the malware collected system information and checked locale and timezone settings, including whether the infected system appeared to be in Russia. If Russian indicators were detected, it terminated.

Persistence method

Investigators found a persistence mechanism based on a hidden Windows scheduled task. The task relaunched the malware using a bundled NodeJS runtime, keeping the infection active across reboots and user logins without a visible application entry point.

The use of an IDE extension reflects a broader pattern in which attackers hide malicious code in tools developers trust and use daily. Extension ecosystems can provide a path into environments that may have weaker governance than centrally managed enterprise software.

Security response

Bitdefender advised developers and organisations to verify extensions before installation and limit the permissions granted to development tools. It also recommended monitoring developer environments for unusual activity and enforcing stricter extension governance policies across teams.

Endpoint telemetry can help spot this activity because the malicious code runs inside trusted processes. In this case, Bitdefender’s endpoint detection and response alerts highlighted suspicious behaviour tied to windsurf.exe.

Bitdefender also noted that using blockchain infrastructure in the delivery chain suggests ongoing experimentation by threat actors. As more organisations adopt developer platforms and decentralised systems, attackers may increasingly rely on unconventional hosting and distribution methods that sit outside traditional web infrastructure.