Bitdefender uncovered a malicious R extension for an integrated development environment, named Windsurf, that pretends to be a legitimate plugin. The extension contacts the Solana blockchain to download encrypted payloads, then installs native modules that harvest browser data.

By leveraging the blockchain as a delivery channel, the malware evades traditional antivirus detection and gains deep system access through the compromised IDE. The operators deliberately avoided Russian IP ranges, suggesting a financially motivated, targeted campaign.

Defenders should enforce strict whitelisting of IDE extensions, monitor for unexpected connections to blockchain nodes, and deploy behavior‑based detection to identify suspicious module installation and data‑exfiltration activity.