Have Ethereum Devs Been Tricked by Scammers’ Malicious Code? What We Know

• Scammers are targeting Ethereum developers.
• The ploy could put multiple projects at risk.
• Extension-based exploits are nothing new in the crypto space. 

As with any young industry of significant value, the crypto industry is rife with bad actors seeking to take a share of the value for themselves at the expense of others. Over the years, these bad actors have employed a wide range of tactics, from complex social engineering schemes to simple honey pots, making it necessary for industry participants to always be on the alert.

In the latest instance, these bad actors appear to be taking a unique approach to targeting crypto projects with a malicious extension.

A Wild VS Code Extension Appears

Scammers are targeting Ethereum projects with a fake extension for developers. Crypto trader “Sagey” was the first to raise the alarm about the ploy on Wednesday, October 2. Sagey warned that scammers had launched a potentially malicious Solidity Microsoft VS Code extension called “Solidity for Ethereum Language.” 

Lead Yearn Finance developer “banteg” confirmed Sagey’s suspicions , asserting that the extension is rigged to download malicious code immediately after it is activated.

While it is unclear what this malicious payload is intended to do, Sagey has speculated that it could compromise projects unsuspecting developers are working on, leading to user losses.

Developers Already Tricked?

The app, purporting to be from the Ethereum Foundation, claims to have over 1.7 million downloads and a five-star rating after only being published in the past 24 hours. banteg has, however, suggested that these downloads are likely from bots as the scammers are looking to convince unsuspecting developers that it is a highly used extension.

At the time of writing, it remains unclear if any developers or DApps have been affected—banteg called on developers who may have downloaded the extension to delete and report it.

Who Is At Risk?

According to banteg, the malicious VS Code extension only appears to be currently targeting Windows users. It is not immediately clear if the developers have also launched similar extensions targeting other ecosystems and operating systems.

However, as highlighted by Sagey, it only takes a minor oversight to potentially compromise an entire project.

“you only need 1 dev without coffee for it to ruin a project and its users,” the trader wrote.

How To Stay Safe

Extension-based exploits are nothing new in the crypto space. While the recent exploit primarily targets developers, there have been incidents where users have been targeted directly. In June 2024, a Binance user revealed they had lost $1 million to a malicious Chrome extension called “Aggr.”

Extension-based exploits are emerging as a vector for exploits as they are typically not manually verified for malware. While users can verify the extension code manually, it usually requires significant expertise and time. Still, there are measures everyday users can take to minimize the chances of falling victim to these types of scams. See some tips below:

• Only download extensions from well-known publishers with large user communities.
• Review permissions to ensure extensions do not request data unrelated to their function.
• Be cautious of new and unverified extensions.
• Consider using a reputable malware scanner.

On the Flipside 

• There is no evidence to suggest that any DApps have been affected by the malicious extension.
• It is still unclear what the malware is intended to do.

Why This Matters

The malicious extension could put several DApps and millions of dollars in investor assets at risk.

Read this for more on Ethereum:

Ethereum Staking Yield to Drive ETH Price Recovery: FalconX

Find out why Uptober is not off to a great start:

Here’s Why Bitcoin’s Uptober Is Already Off the Rails