FAKE WINDSURF EXTENSION STEALS DEVELOPER CREDENTIALS VIA SOLANA-HOSTED PAYLOADS
Attackers shipped a fake Windsurf IDE extension that fetches malware from Solana transactions to exfiltrate developer credentials. Bitdefender details a Windsu...
Attackers shipped a fake Windsurf IDE extension that fetches malware from Solana transactions to exfiltrate developer credentials.
Bitdefender details a Windsurf/VS Code–compatible extension spoofing R support that decrypts after install, pulls JavaScript payloads from Solana transactions, and runs a multi‑stage NodeJS stealer with persistence via a hidden PowerShell scheduled task. It targets Chromium data and skips Russian locales Bitdefender research.
The extension name mimics the legitimate REditorSupport, and lives under the .windsurf extensions directory, making it look trusted to endpoint tools. A summary is also available from KBI.Media.
Separately, Releasebot shows an unrelated Windsurf update fixing a Mac x64 build issue, with no sign it addresses this threat Releasebot updates.
Developer IDEs are now an active attack surface; stolen browser cookies, tokens, and keys can pivot straight into CI, cloud, and data stores.
Blockchain-delivered payloads dodge simple domain blocks and takedowns, so detection has to key on behavior, not just network IOCs.
-
terminal
Simulate a benign VS Code-compatible extension in Windsurf and verify your allow/deny policy: can endpoints block unsigned or unapproved extensions in .windsurf?
-
terminal
Run red-team tests for Windsurf/Code spawning node.exe and creating hidden PowerShell scheduled tasks; confirm EDR alerts and SIEM correlations fire.
Legacy codebase integration strategies...
- 01.
Audit and lock down IDE extension install paths (.windsurf, .vscode) via policy; inventory and remove lookalikes (e.g., fake R support), then rotate developer tokens and browser-saved passwords.
- 02.
Harden access: move to SSO-federated, short-lived cloud credentials and disable persistent browser credential storage on corp machines.
Fresh architecture paradigms...
- 01.
Design dev environments to be ephemeral with secretless auth (OIDC/IAM federation) so stolen cookies or saved creds have minimal blast radius.
- 02.
Enforce extension allowlists from day one and pipeline checks that block builds from machines with unapproved IDE extensions.