$500,000 Crypto Stolen: Fake AI Extension Targets Blockchain Devs via Open VSX
A Russian blockchain developer has fallen victim to a targeted attack executed through a counterfeit extension within the Cursor AI environment, resulting in the theft of approximately $500,000 worth of cryptocurrency. The incident was investigated by experts at Kaspersky Lab, who uncovered an intricate infection chain based on malicious open-source packages masquerading as legitimate tools for working with the Solidity programming language.
The attack commenced with the installation of a fraudulent extension from the Open VSX repository. Disguised as a syntax highlighter for Solidity code, the extension covertly launched a PowerShell script that deployed the ScreenConnect remote administration tool onto the victim’s machine. This foothold enabled the delivery of additional payloads: Quasar, an open-source backdoor, and an infostealer designed to extract data from browsers, email clients, and cryptocurrency wallets. All implants communicated with a command-and-control server at relay.lmfao[.]su.
Notably, the developer’s operating system had been freshly installed only days before the breach and contained nothing but essential software. Despite the developer’s awareness of cybersecurity risks and the use of free antivirus solutions, the absence of comprehensive security software proved to be a critical vulnerability.
The malicious extension surfaced prominently in search results for “solidity” on Open VSX, ranking fourth—significantly higher than the legitimate plugin, which appeared eighth. The counterfeit package amassed 54,000 downloads, compared to 61,000 for the authentic one. However, due to a ranking algorithm that favors recency and activity, the malicious plugin achieved greater visibility. The victim, mistaking it for a vetted tool, proceeded with the installation.
Following the removal of the deceptive extension on July 2, 2025, the attackers swiftly uploaded a new impersonation—this time using an almost indistinguishable developer alias, substituting the Latin letter “l” in “juanblanco” with a visually similar capital “I”. This new version rapidly accumulated over 2 million downloads, once again climbing high in search rankings before both iterations were ultimately removed.
According to Kaspersky Lab, the same threat actor had previously distributed similar malicious packages. In April and May, three analogous extensions for Visual Studio Code and the NPM package “solsafe” were discovered employing the same infection technique: PowerShell scripts and obfuscated VBS payloads.
Experts emphasize that even seasoned developers and technically proficient users can fall prey to such attacks—particularly those working in the cryptocurrency space. While modern security solutions are capable of effectively intercepting this type of malware, relying solely on free scanning tools is insufficient for robust protection.
