IoliteLabs Solidity extensions shipped backdoor

On March 25, 2026, three Visual Studio Code extensions for Solidity development from a publisher called IoliteLabs were updated for the first time in nearly eight years. The new releases, all marked 0.1.8, replaced legitimate Solidity tooling with a backdoor that targeted the wallets, seed phrases, and deployment keys typically held by smart-contract developers. Together the extensions had roughly 27,500 installs across macOS, Windows, and Linux.

StepSecurity researcher Ashish Kurmi, who reported the activity two days later, said the marketplace updates did not match the source repository: the GitHub project showed no commits for version 0.1.8. The new VSIX bundles had also shrunk and lost their real Solidity functionality, which was reduced to hollow command stubs. The actual payload rode in a tampered copy of the pako compression library bundled inside each extension. Where the legitimate pako@1.0.11 carried SHA-256 e7ec4e35..., the version shipping with the malicious extensions hashed to fcd398ab.... The injected code used five obfuscation layers, including Unicode escapes, bracket property notation, XOR junk variables, string reversal, and dependency hiding.

Behavior split by platform. Both Windows and macOS extensions invoked child_process.exec() on every VS Code startup through the onStartupFinished activation event. The Windows path pulled a batch dropper from rraghh.com and, in a later stage, an MSI installer from oortt.com disguised as a Chrome updater. The macOS path fetched a shell script from cdn.rraghh.com and dropped one of two architecture- specific stage-two binaries, doc for Intel and doc1 for Apple Silicon. Linux loaded the tampered pako but the dropper contained no Linux branch, so compromised Linux installs never spawned a malicious process.

The attack worked because it ran from an established publisher account with eight years of legitimate history and existing installs, not from a new typosquat. Trust was inherited rather than built, and once the attacker had the account, the marketplace listing kept its old name while its contents became a loader.

Motive

Credential Theft Backdoor

Cause

Compromised Account Credentials

Transitive

No

User Impact

27500

• Hashsha256:e0f206aac2c3fa733b0c466d2ebb86ba038cf1fe2edeee21e94a4d943a27f63b
• Hashsha256:fcd398abc51fd16e8bc93ef8d88a23d7dec28081b6dfce4b933020322a610508
• Hashsha256:40a6bbc8260bc17faa583dd3c3954a0e3c4b0abb923baaecd2ad7901311d5d82
• Hashsha256:5886a9b659c05fb3e3077c80bb6a8be6acb1064683db542fae90e3bf9757f95f
• Hashsha256:e903ae267bf7ed1d02b218c1dc7cf6d87257e87de9fbda411a13f9154716bfa3
• Hashsha256:5f9c09c2c432a6b94f2200455065bcfd1237f8a01b913a7c9e37f164ff99a84c
• Hashsha256:38cb0e1209a721a565e71f9dc0593437723dc32c4d2fe2d23de141f4d306ccea
• Hashsha256:8e7213940a2f590af145226d22a96d416bcca4bc6cba3400a8a96fd3e7018080

• Malicious IoliteLabs VSCode Extensions Target Solidity Developers on Windows, macOS, and Linux with Backdoorstepsecurity.io