Malicious VSIX packaging and marketplace deployment
Typosquatting and deceptive branding of extensions
Artificial download inflation to create social proof
Social engineering via X (Twitter) mimicking influential developers
Multi-stage obfuscated payload delivery
Deployment of info-stealers (e.g., LummaStealer)
C2 and payload hosting via Cloudflare Pages
Targeting of browser-stored secrets, NPM/GitHub tokens, and crypto wallets