In late November and early December 2018, a sophisticated supply chain attack targeting Chinese internet users emerged, exploiting Easy Programming Language (EPL, also known as EasyLanguage or Yi Yu Yan) — a Chinese-language programming environment widely used by domestic developers to create Windows applications. Attacks were first reported on the night of December 1, 2018, by Chinese antivirus firm Huorong Security.

The attack vector was the compromise of the EPL compiler or IDE distribution itself. Attackers embedded malicious code directly into the EPL software build environment, so that any application compiled using the trojanized version of EPL would automatically carry the malicious payload. This is a compiler-level supply chain attack analogous to the XcodeGhost attack targeting Apple’s Xcode IDE in China in 2015.

Applications built with the compromised EPL version contained two malicious capabilities: a credential-stealing module targeting login credentials for major Chinese online platforms, and a ransomware component. The credential stealer specifically harvested account usernames and passwords for Taobao, Tmall, Alipay, Baidu Cloud Disk, JD.com (Jingdong), NetEase 163 email, QQ, and AliWangWang (Alibaba’s business messaging client). The ransomware encrypted files with common extensions including .doc, .txt, and .jpg, and demanded payment via WeChat Pay — the first known instance of ransomware using WeChat Pay as the payment mechanism, making it harder to trace than Bitcoin-based demands.

The malware was signed with a valid digital certificate stolen from Tencent Technologies, enabling it to bypass Windows security warnings and antivirus signature detection based on code signing status. This level of sophistication — compromising a compiler, stealing a legitimate code-signing certificate from a major tech company, and deploying dual-purpose malware — indicated a well-resourced attacker.

Approximately 100,000 computers were reported infected within the first four days, and the credential theft component reportedly harvested around 20,000 sets of account credentials from the targeted platforms. The malware exclusively targeted users in China.

The incident was a significant example of a compiler/build-tool supply chain attack affecting a large developer ecosystem, demonstrating how a single compromised development tool can propagate malicious code across an unknowing developer community and their users at scale.