The latest Security Affairs malicious software newsletter highlights a concerning evolution in software supply chain attacks: threat actors are hijacking popular npm packages to deploy credential and cryptocurrency stealers. What makes this campaign distinct is the use of "VSCode Autorun" mechanisms and "Blockchain Dead Drops" for command and control (C2).
For defenders, this represents a critical shift. The compromise vector is no longer just malicious code execution; it is the abuse of trusted developer tools (Visual Studio Code) and the obfuscation of infrastructure using public blockchain ledgers. If your organization develops software or allows developer workstations with internet access, you are the target.
Technical Analysis
The Attack Vector
The attack begins with the compromise of a legitimate npm package or the creation of a typo-squatting package. Once a developer installs the package, the malicious payload executes via npm install scripts.
1. VSCode Autorun:
The malware abuses the Visual Studio Code workspace settings or tasks. By placing a malicious .vscode/tasks. or leveraging extension mechanisms, the attackers ensure that VSCode automatically executes arbitrary commands (such as PowerShell or Bash scripts) when the developer opens the project folder. This turns a standard IDE action into a code execution trigger.
2. Blockchain Dead Drops: Rather than connecting to a traditional hardcoded C2 server (which is easily blocklisted), the malware reads transaction data or smart contract states from public blockchains (e.g., Ethereum, Binance Smart Chain). The attacker encodes the next-stage payload URL or configuration data into a blockchain transaction. The infected machine queries a public RPC node (e.g., Infura/Alchemy), retrieves the data from the immutable ledger, and executes it. This makes sinkholing the C2 infrastructure nearly impossible.
3. Payload: The final objective is the deployment of a credential stealer, targeting browser cookies, saved passwords, and cryptocurrency wallet files.
Affected Platforms
- Development Environments: Windows, macOS, and Linux workstations where Node.js, npm, and VSCode are installed.
- CI/CD Pipelines: If the compromised package is pulled into build agents, the attack can spread to build artifacts, though the VSCode autorun specifically targets interactive developer sessions.
Detection & Response
Defending against this requires monitoring for anomalous process relationships spawned by development tools and unusual network traffic to blockchain infrastructure.
Sigma Rules
---
title: Potential VSCode Autorun via npm Child Process
id: 3a1f0c92-8d4e-4a2b-9c5f-6e7d8a9b0c1d
status: experimental
description: Detects Visual Studio Code (code.exe) being spawned by Node.js or npm processes, indicative of a postinstall autorun technique.
references:
- https://securityaffairs.com/194785/uncategorized/security-affairs-malware-newsletter-round-104.html
author: Security Arsenal
date: 2026/04/07
tags:
- attack.execution
- attack.t1059.001
- attack.initial_access
- attack.t1195.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|contains:
- 'node.exe'
- 'npm.cmd'
Image|endswith:
- '\code.exe'
- '\Code.exe'
condition: selection
falsepositives:
- Legitimate developers manually opening VSCode from a terminal (rare in automated scripts)
level: high
---
title: Blockchain Dead Drop via Node.js Process
id: 9b2e1d83-9f5a-4b6c-8d0e-1f2a3b4c5d6e
status: experimental
description: Detects Node.js processes establishing network connections to known public blockchain RPC ports (e.g., 8545) or endpoints, suggesting payload retrieval via blockchain dead drops.
references:
- https://securityaffairs.com/194785/uncategorized/security-affairs-malware-newsletter-round-104.html
author: Security Arsenal
date: 2026/04/07
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith:
- 'node.exe'
DestinationPort:
- 8545 # Ethereum JSON-RPC
- 30303 # P2P Discovery
- 50505 # Solana RPC
Initiated: true
condition: selection
falsepositives:
- Developers running Web3 / DApp local nodes
level: medium
---
title: Credential Stealer File Access via Node.js
id: 1c4d5f6a-7e8b-9c0d-1e2f-3a4b5c6d7e8f
status: experimental
description: Detects Node.js processes accessing browser credential stores (Login Data or Local Storage), a common behavior of crypto stealers.
references:
- https://securityaffairs.com/194785/uncategorized/security-affairs-malware-newsletter-round-104.html
author: Security Arsenal
date: 2026/04/07
tags:
- attack.credential_access
- attack.t1055
logsource:
category: file_access
product: windows
detection:
selection:
Image|endswith:
- 'node.exe'
TargetFilename|contains:
- '\Google\Chrome\User Data\Default\Login Data'
- '\Google\Chrome\User Data\Default\Local Storage\leveldb'
- '\BraveSoftware\Brave-Browser\User Data\Default\Login Data'
condition: selection
falsepositives:
- Rare; automated backup tools might access these, but usually not node.exe
level: critical
KQL (Microsoft Sentinel)
// Hunt for Node.js processes spawning VSCode (Autorun)
DeviceProcessEvents
| where InitiatingProcessFileName in ("node.exe", "npm.cmd")
| where FileName =~ "code.exe"
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath
| order by Timestamp desc
// Hunt for Node.js connecting to Blockchain RPC endpoints (Dead Drops)
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "node.exe"
| where RemotePort in (8545, 30303, 50505, 1317) // Common RPC/P2P ports
| where ActionType == "ConnectionSuccess"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc
Velociraptor VQL
-- Hunt for suspicious VSCode tasks. modifications or existence
SELECT FullPath, Mtime, Size, Data
FROM glob(globs="*/.vscode/tasks.")
-- Within a development environment, parse JSON to look for 'command' fields containing cmd.exe or powershell
WHERE Data =~ "cmd.exe" OR Data =~ "powershell" OR Data =~ "curl"
-- Hunt for recent npm install activity
SELECT Name, CommandLine, StartTime, Exe
FROM pslist()
WHERE Name =~ "node" AND CommandLine =~ "npm install"
Remediation Script (PowerShell)
# Audit npm packages for suspicious postinstall scripts
# This script scans common user directories for package. files and checks for 'postinstall' scripts.
$ErrorActionPreference = "SilentlyContinue"
$Users = Get-ChildItem -Path "C:\Users" -Directory
$suspiciousStrings = @("code.exe", "powershell", "cmd /c", "curl", "wget")
Write-Host "[+] Starting npm package audit for postinstall scripts..." -ForegroundColor Cyan
foreach ($user in $Users) {
$path = Join-Path -Path $user.FullName -ChildPath "*\node_modules\package."
$packages = Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue
foreach ($pkg in $packages) {
try {
$content = Get-Content $pkg.FullName -Raw | ConvertFrom-Json
if ($content.scripts) {
$scripts = $content.scripts | ConvertTo-Json -Compress
foreach ($str in $suspiciousStrings) {
if ($scripts -like "*$str*") {
Write-Host "[!] Suspicious script found in: $($pkg.FullName)" -ForegroundColor Red
Write-Host " Content: $scripts" -ForegroundColor Yellow
}
}
}
} catch {
# Ignore malformed JSON
}
}
}
Write-Host "[+] Audit complete." -ForegroundColor Green
# Network Hardening: Block common Blockchain RPC ports on Windows Firewall
# (Use with caution, verify no Web3 development is required)
Write-Host "[*] Checking Firewall rules for RPC ports..." -ForegroundColor Cyan
$rpcPorts = @(8545, 30303, 50505)
foreach ($port in $rpcPorts) {
$rule = Get-NetFirewallRule -DisplayName "Block Blockchain RPC Port $port" -ErrorAction SilentlyContinue
if (-not $rule) {
Write-Host " Creating rule to block port $port..." -ForegroundColor Yellow
New-NetFirewallRule -DisplayName "Block Blockchain RPC Port $port" -Direction Outbound -LocalPort $port -Protocol TCP -Action Block | Out-Null
} else {
Write-Host " Rule for port $port already exists." -ForegroundColor Green
}
}
# Remediation
**Immediate Actions:**
1. **Audit Dependencies:** Run the PowerShell script above across all developer workstations to identify packages containing suspicious `postinstall` scripts.
2. ** quarantine Compromised Systems:** If a system shows signs of infection (VSCode autorun or blockchain RPC traffic), isolate the host immediately. Credential theft likely occurred.
3. **Credential Reset:** Assume all browser-saved credentials and crypto keys on infected workstations are compromised. Force password resets and revoke API keys stored in those environments.
**Long-term Hardening:**
* **Package Locking:** Enforce the use of `package-lock.` and `npm ci` (clean install) in production environments to prevent tampering.
* **Network Segmentation:** Restrict developer workstation access to the public internet. Consider proxying all traffic and blocking access to public blockchain RPC nodes (e.g., `*.infura.io`, `*.alchemy.com`) unless specifically required for business purposes.
* **IDE Policies:** Deploy Group Policy Objects or configuration management to restrict VSCode from automatically running tasks on workspace load if not business-critical.
Related Resources
Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.