A cryptocurrency developer in Russia suffered a devastating loss of half a million dollars in digital currency after unknowingly installing a compromised extension for his code editor. This incident underscores the growing threat of malicious actors exploiting vulnerabilities within open-source repositories to target and defraud software developers.
The developer downloaded what appeared to be a genuine Solidity extension from the Open VSX marketplace for his Cursor AI editor. Boasting 54,000 downloads and a prominent position in the search results, it seemed like a reliable option. However, this counterfeit tool lacked the promised syntax highlighting functionality.
Instead, the deceptive extension discreetly downloaded a PowerShell script originating from angelic[.]su. This script then installed ScreenConnect, a remote access program, effectively creating a backdoor that granted the attackers complete control over the developer’s computer system.
The attack was initiated when the developer was seeking a tool to highlight the syntax of Solidity code. The malware also deployed several VBScripts that downloaded data-stealing programs from paste.ee. These programs harvested sensitive information from the developer’s web browsers, email programs, and cryptocurrency wallets. The attackers then used this stolen data to compromise accounts, obtain passwords, and ultimately steal cryptocurrency.
Widespread Campaign Targeting Developers
This event is part of a larger pattern of attacks. Investigators have uncovered similar instances involving other harmful extensions with names like “solaibot,” “among-eth,” and “blankebesxstnion.” Additionally, a malicious npm package known as “solsafe” has been identified using the same methods.
The perpetrators are continually modifying their tactics. Once the initial fraudulent extension was taken down, they promptly released a new version with the exact name of the legitimate package. They attempted to deceive developers by using a username very similar to the original (juanbIanco instead of juanblanco) and by artificially inflating the number of downloads to two million.
The search ranking system of Open VSX unintentionally assists these criminals. Newly published packages receive preferential treatment in search results, allowing malicious software to appear above legitimate, secure alternatives. These attackers are systematically taking advantage of this system.
These attacks are specifically aimed at developers working with blockchain technology, presumably because they often have access to valuable cryptocurrency assets. Security professionals are advising developers to exercise extreme caution when installing packages from open-source repositories.
Tip: On average, 131 Common Vulnerabilities and Exposures (CVE) are reported daily.