A counterfeit 'Truffle for VS Code' extension, published on the npmjs registry, abuses the ConnectWise ScreenConnect remote desktop utility, allowing threat actors to compromise Windows systems that install the package.
The real Truffle for VS Code extension on the Microsoft Visual Studio Marketplace has been installed around 80,000 times and also has its source code available on GitHub. The official GitHub repository also contains a private npm component called 'truffle-vscode'.
Taking advantage of this private npm component, threat actors published a 'trufflevscode' (no hyphen) package on npmjs.com, the world's largest JavaScript registry, to trick cryptocurrency developers into installing spyware on their system.
Tainted ScreenConnect utility connects to a Russian host
Recently, Sonatype's automated malware detection system flagged a 'trufflevscode' (no hyphen) npm package that exhibited suspicious signs.
Tracked as sonatype-2025-000440 and analyzed by our security researcher Carlos Fernández, the component runs heavily obfuscated code as soon as it is installed.
The counterfeit component is named carefully after the legitimate 'Truffle for VS Code' extension used by blockchain developers to "create, build, debug and deploy smart contracts on Ethereum and all EVM-compatible blockchains and layer 2 scaling solutions."
The obfuscated code in the component further drops a Windows Batch file, '212.bat', which is further obfuscated using the open source 'Abobus Obfuscator', as it claims.
When detonated in the ANY.RUN sandbox, we confirmed the Batch file [test run] is connecting to hxxps://scare.su/files/... to ultimately download a Windows DLL, and an MSI installer (haha.msi), which is an altered version of the ConnectWise ScreenConnect remote desktop utility.
The tainted ScreenConnect installer contains embedded configuration instructions to establish a connection to a Russian host (web.winserve[.]ru), which appears to host a ScreenConnect server, allowing sessions to begin for clients connecting with a valid invitation code:
The XML configuration data with the hardcoded Russian host and launch parameters are embedded in the MSI installer itself:
Near zero VirusTotal detection rate
Because the attack alters the ScreenConnect installer to connect to a hardcoded malicious address, as opposed to shipping outright malicious code, the tainted installer, haha.msi, maintains an extremely low detection rate on VirusTotal — missed by over 98% antivirus engines at the time of writing.
The same is true of the initial payload, or the obfuscated Batch script ('212.bat,' also misleadingly called 'ScreenConnect.WindowsClient.exe' or 'ScreenConnect.ClientService.exe' in some test runs), where it all began:
When it comes to stopping malicious dependencies and open source components from entering your software builds, traditional signature-based antivirus engines and endpoint detection solutions are not sufficient alone, and the key to thwarting such attacks remains to screen and block counterfeit dependencies at their very source — that is, upstream repos like npm.
Open source malware blocked by Sonatype Repository Firewall
Our 2025 predictions for software supply chain security included threat actors doubling down on targeting blockchain developers and the open source community with cryptocurrency stealing and mining malware, and we are seeing this in action already. From fake Solana components captured by us last month to the recent compromise of the legitimate Rspack & Vant libraries to deploy Monero miners, it's clear that adversaries are exploring novel angles to further their nefarious agenda.
In December 2024, counterfeit Visual Studio Code extensions also appeared on the VSCode marketplace and named after the "Zoom" video conferencing tool, to target developers and cryptocurrency projects in supply chain attacks. Moreover, ransomware operators have abused TeamViewer in malware attacks.
Our discovery today serves as yet another reminder of the ongoing trend and highlights a pressing need for improved supply chain security measures and greater vigilance in monitoring third-party software registries. Developers and organizations must prioritize security at every stage of the development process to mitigate risks associated with third-party dependencies.
Malicious open source is designed to evade typical software composition analysis (SCA) scanners. However, users of Sonatype Repository Firewall can rest easy knowing that these packages would automatically be blocked from reaching their development builds and keep their software development life cycle (SDLC) hygienic.
If you're not already protected with Sonatype, get in touch so we can show you Repository Firewall in action.
Ax is a Staff Security Researcher & Malware Analyst at Sonatype with a penchant for open source software. His works and expert analyses have frequently been featured by leading media outlets including the BBC. Ax's expertise lies in security vulnerability research, reverse engineering, and ...
Explore All Posts by Ax Sharma
