How the extension got on the computerSo, we found that the malicious extension had 54,000 downloads, while the legitimate one had 61,000. We found out that while trying to install a Solidity code syntax highlighter, the developer searched the extension registry for solidity . The developer names look identical at first glance, but the legitimate package was uploaded by juanblanco , while the malicious one was uploaded by juanbIanco . We used our open-source package monitoring tool to find a malicious npm package called “solsafe”. Even experienced developers must not neglect security solutions, as these can help prevent an attack in case a malicious package is installed.