BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//pretalx.com//bsidesluxembourg-2026//talk//QXECVY BEGIN:VTIMEZONE TZID:CET BEGIN:STANDARD DTSTART:20001029T040000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 TZNAME:CET TZOFFSETFROM:+0200 TZOFFSETTO:+0100 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000326T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3 TZNAME:CEST TZOFFSETFROM:+0100 TZOFFSETTO:+0200 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-bsidesluxembourg-2026-QXECVY@pretalx.com DTSTART;TZID=CET:20260506T133000 DTEND;TZID=CET:20260506T153000 DESCRIPTION:Visual Studio Code has become the de-facto IDE for millions of developers\, and its extension marketplace is now a first-class target for supply-chain compromise. In this talk we move beyond yesterday’s JavaSc ript-only “theme” backdoors and show how to fuse high-level TypeScript with low-level Rust to create extensions that are indistinguishable from legitimate Microsoft-signed add-ons—yet silently execute native x86_64 s hellcode inside the IDE process.\n\nWe begin with a data-driven tour of re cent in-the-wild incidents: we begin by examining an array of malicious so lidity extensions which targeted blockchain developers with a special emph asis on the [“Solidity” extension that stole $500 k in crypto from a R ussian blockchain developer](https://www.kaspersky.com/about/press-release s/kaspersky-uncovers-500k-crypto-heist-through-malicious-packages-targetin g-cursor-developers). We follow that up with an analysis of the Malicious Corgi malware\, and the [new self propagating GlassWorm extension](https:/ /www.truesec.com/hub/blog/glassworm-self-propagating-vscode-extension) - i ncluding the later samples seen in the wild which used more advanced techn iques. The rise of AI-centric forks (Cursor\, Windsurf\, etc.) has also gi ven a rise to new extension marketplaces where malicious extension can use inflated download counts to serve as perfect camouflage. Next we deep-div e into the malicious extension toolchain: a Rust FFI bridge that compiles to a library\, exposes a single innocent-looking TypeScript API\, and pres erves the marketplace’s blue “verified” tick. We demonstrate live ho w to backdoor legit extensions - including cases where the source code is available and when it is not. \n\nWe close with defensive takeaways: IoCs and TTPs to look for\, defensive rules which can prevent such attacks and possible detection vectors. Attendees leave with a fully annotated GitHub repo that walks them through the process of developing such malware - star ting with a "hello-world" C++ addon and building a rust based shellcode lo ader backdoored into a popular extensions. DTSTAMP:20260412T024936Z LOCATION:Workshops May 6th (C1.02.06) SUMMARY:From Code to Compromise: Turning modern day IDEs into attack vector s via malicious Extensions - Debjeet Banerjee URL:https://pretalx.com/bsidesluxembourg-2026/talk/QXECVY/ END:VEVENT END:VCALENDAR