Cybercriminals have successfully orchestrated a sophisticated attack targeting blockchain developers, stealing $500,000 in cryptocurrency from a Russian developer through a malicious code extension designed for AI-powered development environments.
This incident highlights the growing threat of weaponized open-source packages in the cryptocurrency ecosystem.
In June 2025, a Russian blockchain developer fell victim to an elaborate cyberattack despite taking security precautions on a freshly installed system.
The attack vector was a malicious Solidity Language extension for Cursor AI IDE, an AI-assisted development platform based on Visual Studio Code.
The fake extension, masquerading as a legitimate syntax highlighter for smart contract development, had accumulated 54,000 downloads from the Open VSX registry.
Security researchers discovered that the malicious extension contained no actual functionality for syntax highlighting or smart contract development. Instead, it executed a PowerShell script from the server angelic[.]su, which initiated a complex infection chain.
The attackers had cleverly copied the description from a legitimate extension with 61,000 downloads, making their fake version appear credible to unsuspecting developers.
The malicious extension ranked fourth in search results for “solidity,” while the legitimate version appeared eighth.
This positioning advantage occurred due to the registry’s ranking algorithm, which considers multiple factors including recency of updates, downloads, and ratings.
The fake extension’s June 15, 2025 update date gave it a relevance boost over the legitimate version’s May 30, 2025 update.
Once installed, the malicious extension triggered a sophisticated attack chain. The initial PowerShell script checked for ScreenConnect remote management software and, if absent, downloaded and installed it from lmfao[.]su.
This established persistent remote access to the victim’s machine through the command-and-control server relay.lmfao[.]su.
The attackers then deployed three VBScripts (a.vbs, b.vbs, and m.vbs) that downloaded obfuscated PowerShell scripts from paste.ee.
These scripts retrieved images from archive.org containing the VMDetector loader, previously observed in Latin American phishing campaigns.
The final payloads included the Quasar open-source backdoor and a specialized stealer targeting browsers, email clients, and cryptocurrency wallets.
The threat actors didn’t limit their activities to a single malicious package. After the original extension was removed on July 2, 2025, they published a new version named “solidity” with an inflated download count of two million.
They also deployed similar attacks through Visual Studio Code extensions (solaibot, among-eth, blankebesxstnion) and an npm package called “solsafe.”
This campaign demonstrates how attackers exploit the trust developers place in open-source repositories.
The use of typosquatting techniques, such as replacing the letter “l” with “I” in developer names (juanblanco vs juanbIanco), further compounds the deception potential in development environments where font rendering makes such distinctions nearly invisible.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…