← Supply-Chain Attack Compendium

iolitelabs-vscode-solidity

Incident Summary

IoliteLabs VS Code Solidity Extensions Backdoor

A dormant IoliteLabs Visual Studio Marketplace publisher account was used to update three Solidity extensions to version 0.1.8 after nearly eight years of inactivity, with no matching source repository commits. The VSIX packages replaced the original language-server behavior with startup activation and hid the backdoor in a bundled copy of the pako dependency. The payload delivered Windows and macOS backdoors with persistence and exfiltration behavior; the Linux extension loaded the tampered dependency but did not contain an active Linux execution branch. The incident shows how dormant publisher accounts and vendored dependencies can hide malicious extension code away from the declared entry point.

Date
2026-03-25 to 2026-03-27
Category
Open Source
Target Surface
Distribution
Insertion Phase
distribution
Impact
Credential theft
Cause
Compromised Account/Credentials

What Was Affected

LanguageJavaScript
ComponentPlugin
Artifact typeextension
Domain typepackage host

Compromised Versions

Incident Context

Motive
Credential Theft/Backdoor
Transitive
No
User Impact
27500
Observed Duration
2 days

Evidence

Compromised Artifacts

Indicators and Changes

Hashes

  • sha256:e0f206aac2c3fa733b0c466d2ebb86ba038cf1fe2edeee21e94a4d943a27f63b
  • sha256:fcd398abc51fd16e8bc93ef8d88a23d7dec28081b6dfce4b933020322a610508
  • sha256:40a6bbc8260bc17faa583dd3c3954a0e3c4b0abb923baaecd2ad7901311d5d82
  • sha256:5886a9b659c05fb3e3077c80bb6a8be6acb1064683db542fae90e3bf9757f95f
  • sha256:e903ae267bf7ed1d02b218c1dc7cf6d87257e87de9fbda411a13f9154716bfa3
  • sha256:5f9c09c2c432a6b94f2200455065bcfd1237f8a01b913a7c9e37f164ff99a84c
  • sha256:38cb0e1209a721a565e71f9dc0593437723dc32c4d2fe2d23de141f4d306ccea
  • sha256:8e7213940a2f590af145226d22a96d416bcca4bc6cba3400a8a96fd3e7018080

External References

Source Data

Source record: oss/iolitelabs-vscode-solidity/meta.yaml