By rssfeeds-admin 
The fake extension, published under the name “IconKiefApp,” mimicked the legitimate extension by Philipp Kief in name, visuals, and structure, successfully tricking more than 16,000 users before it was flagged by researchers at Nextron Systems.
Implant Behavior and Execution
The rogue extension, titled “Icon Theme: Material,” was designed to look identical to the real one, including its internal folder structure.
Once installed, the malicious version placed its loader file, extension.js, in the same directory as the legitimate package, making detection less likely. When activated, this JavaScript loader executed two embedded Rust binaries that acted as implants.
On Windows systems, the loader executed a DLL named os.node, while on macOS it triggered a dylib called darwin.node. Both binaries are foreign to any genuine icon theme.
Upon activation, these implants opened a communication channel to a command-and-control (C2) source and began fetching encoded instructions.
Analysts found that the implants connected to the Solana blockchain instead of a traditional server, where they retrieved C2 instructions hidden within a blockchain wallet address.
Once the implants decoded these instructions, they downloaded a second-stage payload, a JavaScript file encrypted with AES-256-CBC.
This file allowed attackers to deliver additional code remotely and potentially control the victim’s environment.
When the blockchain C2 was unreachable, the implants switched to a fallback by fetching commands from a Google Calendar event. The attackers used invisible Unicode characters inside the calendar title to conceal the secondary C2 location.
Discovery and Mitigation
The malicious version, marked 5.29.1, was uploaded to the VS Code Marketplace on November 28, 2025. Notably, earlier versions, such as 5.29.0, were clean and did not contain the implants.
Nextron Systems’ automated artifact-scanning service, powered by its THOR Thunderstorm engine, identified the implants embedded within the extension’s directory structure during routine analysis.
Hashes of the infected components match previously observed behaviors in GlassWorm-related campaigns, suggesting that the same actor or toolkit is involved.
Nextron reported the extension to Microsoft shortly after the discovery, but as of the time of the report, the malicious version remained available online.
Users who installed the extension should immediately remove it from Visual Studio Code and scan their systems for related hash indicators.
Organizations are advised to restrict installations from unverified publishers and review extension permissions in development environments to prevent similar supply chain threats.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post VS Code Icon Theme Extension Turns Malicious, Attacking Windows and macOS Systems appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.