MALICIOUS FAKE WINDSURF EXTENSION USES SOLANA BLOCKCHAIN FOR C2, TARGETS DEVELOPER CREDENTIALS
A fake Windsurf IDE extension is stealing developer credentials and using the Solana blockchain for command-and-control.
A fake Windsurf IDE extension is stealing developer credentials and using the Solana blockchain for command-and-control.
Compromised dev machines can leak source, prod credentials, and session tokens, turning into a direct path to your backend and data systems.
AI IDE adoption expands attack surface via extension ecosystems that often bypass standard enterprise controls.
-
terminal
Scan developer endpoints for IOCs: extension reditorsupporter.r-vscode-2.8.8-universal, files w.node and c_x64.node, and a hidden scheduled task named UpdateApp.
-
terminal
Inventory and lock down IDE extensions by publisher allowlists; alert on any side-loaded or unsigned extensions across Windsurf/VS Code-like environments.
Legacy codebase integration strategies...
- 01.
If teams already use Windsurf or VS Code forks, enforce extension allowlists via device management and remove unapproved R-language helper extensions.
- 02.
Add EDR rules to flag creation of UpdateApp tasks and access to browser credential stores; rotate tokens if any machine shows IOCs.
Fresh architecture paradigms...
- 01.
Default to ephemeral dev environments (containers/VMs) with no persistent browser creds and signed-extension-only policies.
- 02.
Route all tooling through SSO-bound secrets brokers, and block direct local storage of long-lived API keys in browsers.