Malicious VSCode Extension in Cursor AI IDE Leads to $500K Cryptocurrency Theft
By Lawrence Abrams | July 14, 2025
A seemingly harmless extension for Cursor AI IDE, an AI-powered code editor based on Microsoft’s Visual Studio Code, has been linked to a significant cryptocurrency theft valued at half a million dollars. The incident highlights growing concerns over the security of software extensions available through open repositories.
Background: Cursor AI IDE and Open VSX Extensions
Cursor AI IDE leverages Microsoft’s Visual Studio Code platform and supports Open VSX, an alternative extension marketplace. This setup allows developers to install a variety of VSCode-compatible extensions, enhancing the IDE’s functionality.
However, not all extensions are trustworthy. Security researchers at Kaspersky were recently called upon to investigate a security breach reported by a Russian cryptocurrency developer who lost approximately $500,000 in digital assets.
Discovery of the Malicious Extension
Upon analyzing an image of the compromised developer’s hard drive, Kaspersky’s security researcher Georgy Kucherin identified a suspicious JavaScript file named extension.js within the .cursor/extensions directory. This file corresponded to a fraudulent extension named "Solidity Language", which was listed on the Open VSX registry.
The extension falsely claimed to offer syntax highlighting for Ethereum smart contracts. However, instead of providing legitimate functionality, the extension executed a remote PowerShell script from a server at angelic[.]su, downloading additional malicious software onto the victim’s device.
Attack Methodology
The attack chain began with the execution of the remote PowerShell script. This script checked whether the remote management tool ScreenConnect was installed. If not detected, it installed ScreenConnect, granting attackers full remote access to the infected computer.
Once inside, the attackers used ScreenConnect to run VBScript files that downloaded further malicious payloads. The final payload was a loader downloaded from archive[.]org, which deployed two key pieces of malware:
- Quasar RAT: A remote access trojan that enables attackers to control the infected machine and execute arbitrary commands.
- PureLogs Infostealer: Malware designed to steal credentials, browser authentication cookies, and cryptocurrency wallets.
Scope and Scale of the Threat
According to Kaspersky’s findings, the fraudulent "Solidity Language" extension was downloaded over 54,000 times before being removed from Open VSX on July 2. Researchers suspect that this download count was artificially boosted to make the extension appear legitimate.
The day following its removal, attackers released a nearly identical extension titled "solidity", which inflated its download numbers to nearly two million. This tactic helped the malicious extension outrank the genuine Solidity syntax highlighting extension in search results, increasing the likelihood of unsuspecting developers downloading it.
Kaspersky also identified similar malicious extensions on Microsoft’s Visual Studio Code marketplace with names like "solaibot," "among-eth," and "blankebesxstnion," all designed to execute PowerShell scripts to install ScreenConnect and infostealing malware.
Kaspersky’s Warnings and Recommendations
Kaspersky strongly warns developers to exercise extreme caution when downloading extensions or packages from open-source repositories due to the rising prevalence of malware infections.
“Malicious packages continue to pose a significant threat to the crypto industry,” noted Kaspersky.
“Many projects rely on open-source tools from package repositories, yet these repositories are often the source of malware. Always verify the authenticity of any packages before installing. If a package behaves unexpectedly, review its source code carefully.”
Developers are encouraged to:
- Confirm the legitimacy of extensions before installation.
- Avoid downloading from untrusted or unfamiliar repositories.
- Maintain updated antivirus and security solutions.
- Use hardware wallets or cold storage for large cryptocurrency holdings rather than "hot wallets."
Community Reactions
The incident sparked discussions within the developer and cryptocurrency communities, with some users questioning the security practices of storing large sums of crypto on internet-connected devices.
One commenter noted, “Who in their right mind keeps $500K in a hot wallet? Anyone familiar with crypto uses hardware wallets and never stores private keys on an internet-connected machine.”
Conclusion
This case serves as a stark reminder that attackers are increasingly targeting development tools and packages to compromise users and steal digital assets. The convergence of software supply chain vulnerabilities and the lucrative nature of cryptocurrency makes this an especially urgent issue.
Both developers and users must remain vigilant when installing extensions from open repositories, continuously scrutinizing software sources to protect themselves from similar sophisticated attacks.
For further information and guidance on protecting development environments and cryptocurrency assets from malware threats, readers can consult security advisories from Kaspersky and other cybersecurity organizations.
Related Coverage:
- Dozens of Fake Wallet Add-ons Flood Firefox Store to Drain Crypto
- The Zero-Day That Could’ve Compromised Every Cursor and Windsurf User
- Dark Partners Cybercrime Gang Fuels Large-Scale Crypto Heists
Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com, specializing in Windows, malware removal, and computer forensics.