A Russian blockchain developer lost half a million dollars in cryptocurrency after installing a malicious extension for his code editor. The attack shows how criminals are exploiting open-source repositories to deceive developers.
The developer installed a seemingly legitimate Solidity extension from the Open VSX registry for his Cursor AI editor. With 54,000 downloads and a higher ranking in search results than the real version, it appeared to be trustworthy. However, this malicious tool did not provide any syntax highlighting functionality.
Instead, the extension silently downloaded a PowerShell script from angelic[.]su, which then installed ScreenConnect remote access software. This backdoor gave attackers full control over the developer’s system.
The attack began when the developer was looking for a syntax highlighter for Solidity code. The malware also installed several VBScripts that download stealers from paste.ee. These tools collected data from browsers, email clients, and cryptowallets, which the attackers ultimately used to obtain passwords and steal cryptocurrency.
Extensive campaign against developers
The incident is part of a broader campaign. Researchers discovered similar attacks via other malicious extensions such as “solaibot,” “among-eth,” and “blankebesxstnion.” A malicious npm package called “solsafe” was also found that uses the same tactic.
The criminals are constantly adapting their approach. After the first fake extension was removed, they immediately published a new version with the same name as the legitimate package. By using a similar username (juanbIanco versus juanblanco) and inflating download figures to two million, they attempted to mislead developers once again.
The ranking algorithm of Open VSX plays into the hands of criminals. New packages get a boost in search results, allowing malicious software to rank above legitimate alternatives. These attackers systematically exploit this mechanism.
The attacks specifically target blockchain developers, presumably because they have access to valuable cryptocurrency. Experts advise developers to be extra cautious when installing packages from open-source repositories.