Kaspersky has uncovered a cyberattack that stole about $500,000 worth of cryptocurrency by targeting blockchain developers through fake open-source packages in the Cursor development environment. The attack came to light after a Russian blockchain developer sought help from the cybersecurity company, reporting that the funds had been stolen following the installation of a fake extension.
According to Kaspersky’s findings, the malicious packages, disguised as tools for the Solidity programming language, were hosted on the Open VSX repository and appeared to support Cursor, a development platform based on Visual Studio Code and used for AI-assisted coding.
“Spotting compromised open-source packages with the naked eye is becoming increasingly difficult,” said Georgy Kucherin, a security researcher at Kaspersky’s Global Research and Analysis Team. “Threat actors are using increasingly creative tactics to deceive potential victims, even developers who have a strong understanding of cybersecurity risks, particularly those working in the blockchain development field.”
Kaspersky said the attacker tricked the developer by making the malicious extension appear more popular than the legitimate one. The attacker boosted the fake package’s download count to more than 54,000, outranking the legitimate extension in search results for “Solidity.”
Once installed, the extension did not provide any coding functionality. Instead, it downloaded and ran malicious software, including ScreenConnect, which allowed the attacker to remotely access the victim’s device. The attacker then deployed the Quasar backdoor and a data stealer that extracted information from browsers, email clients, and crypto wallets. This enabled the theft of wallet seed phrases and, ultimately, the funds.
Kaspersky said it removed the malicious extension from the repository after discovering it, but the attacker quickly republished it and inflated its download count further to about two million, while the legitimate version had around 61,000 downloads. Kaspersky has reported the malicious extension again for removal.
The attacker also uploaded another malicious NPM package, named solsafe, which installed ScreenConnect. Earlier, three other harmful Visual Studio Code extensions, solaibot, among-eth, and blankebesxstnion, had also been detected and removed.
“As we expect adversaries to continue targeting developers, it is recommended that even experienced IT professionals deploy dedicated security solutions to safeguard sensitive data and prevent financial losses,” Kucherin added.
Kaspersky advised developers to be cautious when installing open-source extensions and to verify their legitimacy through trusted sources.
Follow Back End News on LinkedIn, Facebook, X, YouTube, and TikTok for updates and in-depth coverage across the tech and security landscape.