When Your IDE Phones Home via Solana: How a Fake Windsurf Extension Turned the Blockchain Into a Command-and-Control Server

Malware authors just solved one of their biggest operational headaches — keeping command-and-control infrastructure alive — by hiding their payloads inside Solana blockchain transactions. And they delivered it through the one place developers trust implicitly: their IDE extensions. Here's a technical breakdown of a supply chain attack that should change how every Web3 developer thinks about their development environment. The Attack Vector: Trust by Proximity Bitdefender researchers recently uncovered a malicious Windsurf IDE extension named reditorsupporter.r-vscode-2.8.8-universal . The name is a near-perfect impersonation of REditorSupport , a legitimate R language extension with hundreds of thousands of installs. The disguise is effective because developers routinely install IDE extensions with minimal scrutiny. Unlike npm packages — where the security community has built a healthy paranoia around typosquatting — IDE extension marketplaces remain a trust-rich, verification-poor envi