This intelligence details the emergence of malicious campaigns spreading from VSCode to npm. Researchers observed an increasing amount of malicious activity in VSCode Marketplace, with threat actors using npm packages to inject malicious code into VSCode IDE. The campaign initially targeted the crypto community but later expanded to impersonate the Zoom application. Malicious extensions contained downloader functionality and were obfuscated with Javascript Obfuscator. The campaign then spread to npm with the package 'etherscancontracthandler'. The analysis highlights the importance of scrutinizing open source, third-party, and commercial code, as well as performing regular security assessments to prevent IDE compromises and protect the software supply chain.