$500K stolen via fake AI coding extension
10 months ago
- #blockchain
- #cybersecurity
- #malware
- Malicious open-source packages are a growing threat, with frequent reports of infected packages in repositories like PyPI or npm.
- A blockchain developer lost $500,000 in crypto assets after installing a malicious Solidity Language extension for the Cursor AI IDE.
- The malicious extension, downloaded 54,000 times, was a fake offering no real functionality but instead downloaded and executed malicious code.
- The fake extension appeared higher in search results than the legitimate one due to the Open VSX registry's ranking algorithm, which considers factors like recency.
- The malicious extension downloaded PowerShell scripts that installed ScreenConnect, allowing attackers remote control over the victim's computer.
- Attackers used ScreenConnect to upload VBScripts that downloaded additional malware, including the Quasar backdoor and a stealer targeting crypto wallets.
- After the initial malicious extension was taken down, attackers published another fake extension with an identical name to the legitimate one, inflating download counts to two million.
- Similar malicious packages and extensions were found, indicating a broader campaign targeting blockchain developers.
- Recommendations include verifying packages before download, being suspicious of non-functional software, and using cybersecurity solutions to block known malware.