The fast-draft extension published on Open VSX by KhangNghiem had accumulated over 26,000 downloads when researchers identified that multiple versions contained malicious releases deploying a full four-module attack framework from the BlokTrooper GitHub repository. The attack alternated between clean and malicious releases — a pattern suggesting account compromise rather than an intentional malware publisher.
Confirmed malicious versions: 0.10.89, 0.10.105, 0.10.106, 0.10.112 Confirmed clean versions: 0.10.88, 0.10.111, 0.10.129–0.10.135
Attack Chain
Stage 1 — Downloader: Each malicious extension version fetched platform-specific scripts from raw.githubusercontent.com/BlokTrooper/extension/refs/heads/main/scripts/: linux.sh, mac.sh, and windows.cmd.
Stage 2 — Four Concurrent Modules: The downloader spawned four independent Node.js processes using node -e with detached: true and windowsHide: true flags — ensuring all modules ran silently in the background.
Module 1: Remote Desktop RAT
A full remote access trojan communicating via Socket.IO with the C2 server at 195.201.104.53 on ports 6931, 6936, and 6939. Capabilities include mouse and keyboard control, live screenshot capture, and clipboard read/write. The module performs VM detection, checking for vmware, virtualbox, qemu, kvm, and xen before activating.
Module 2: Browser and Crypto Wallet Stealer
Targets Chrome, Edge, Brave, Opera, and LT Browser — extracting saved passwords (Login Data), payment info (Web Data), and the LevelDB storage used by browser-based wallet extensions. Twenty-five cryptocurrency wallets are specifically targeted, including MetaMask, Phantom, TronLink, Trust Wallet, Coinbase, OKX, and Solflare. On macOS, the module also steals ~/Library/Keychains/login.keychain. Data is polled for changes every ~100 seconds.
Module 3: Document Thief
Recursively scans the home directory and all drives for files matching: .docx, .xlsx, .pdf, .md, .txt, .js, .ts, .json, .env*, .pem, .secret. Notably excluded from scanning: .windsurf, .pearai, .claude, .cursor — suggesting the attacker was aware that targeting AI coding tool configs might raise suspicion.
Module 4: Clipboard Monitor
Polls the clipboard every 2 seconds using platform-native commands (pbpaste on macOS, powershell Get-Clipboard on Windows, clipboardy on Linux). Clipboard content is exfiltrated to the C2.
Indicators of Compromise
Extension:
- Extension ID:
KhangNghiem.fast-draft - Registry:
open-vsx.org
C2 infrastructure:
- IP:
195.201.104.53 - Ports: 6931, 6936, 6939
- Stage 1 payload host:
raw.githubusercontent.com/BlokTrooper/extension
Exfiltration routes:
/upload/cldbs/api/service/makelog
Response
If you have any of the malicious versions installed, treat your full development environment as compromised. Rotate all credentials that were accessible from the machine: npm tokens, GitHub tokens, SSH keys, cloud provider credentials, and wallet seed phrases. Reinstall from scratch — don't attempt in-place remediation of a machine that had an active RAT running with full keyboard and screen access.
The disclosure was filed via GitHub issue on March 12, 2026 and received no response from the publisher before this report was written — another indicator that the legitimate account owner may not have been aware of the compromised releases.