Cursor AI Security Alert: $500k Crypto Theft via Fake Extensions

• 5/9/2025
• 7-minute read

The AI-powered development revolution has a dark side that’s just cost one unlucky developer roughly $500,000. In June 2025, a sophisticated supply chain attack targeting Cursor AI users demonstrated how the very tools meant to boost our productivity can become vectors for catastrophic financial loss. Here’s what every developer using AI IDEs needs to know to stay safe.

Note: A “supply chain attack” is when attackers compromise software or tools that developers trust, inserting malicious code or components before they reach the end user.

Key Findings

• Massive financial impact: A single developer lost approximately $500,000 in cryptocurrency to attackers exploiting fake extensions Source: Kaspersky • Open VSX vulnerability: The marketplace used by Cursor AI lacks the rigorous security screening of Microsoft’s official VS Code marketplace • Search algorithm manipulation: Malicious extensions outranked legitimate ones through clever exploitation of ranking factors • Sophisticated attack chain: Multi-stage infection involving PowerShell scripts, remote access tools, and data exfiltration • Ongoing threat: Similar attacks continue targeting blockchain developers across multiple platforms

The $500,000 Heist: How It Happened

In June 2025, a Russian blockchain developer contacted Kaspersky’s security team with a devastating story. Despite running a freshly installed system with only essential applications, he’d lost around $500,000 in cryptocurrency assets. The culprit? A seemingly innocent Solidity syntax highlighting extension for Cursor AI.

The developer had searched Open VSX—the extension marketplace that Cursor AI users must rely on—for “solidity” to find a code highlighting tool. What he got instead was a sophisticated piece of malware disguised as a legitimate development tool.

The Fake Extension That Fooled Thousands

The malicious “Solidity Language” extension appeared fourth in search results, despite having fewer downloads (54,000) than the legitimate extension (61,000) that ranked eighth. This wasn’t an accident—it was a carefully orchestrated manipulation of Open VSX’s ranking algorithm.

The fake extension promised:

• Advanced syntax highlighting for Solidity code
• Smart contract optimisation features
• Enhanced development workflows

In reality, it delivered none of these features. Instead, it immediately began downloading and executing malicious PowerShell scripts from remote servers.

Why Cursor AI Users Are at Risk

The root of this vulnerability lies in the fundamental difference between AI-powered IDEs like Cursor and traditional development environments. While VS Code users benefit from Microsoft’s official marketplace with comprehensive security scanning, Cursor AI users must rely on the open-source Open VSX marketplace.

The Open VSX Security Gap

Open VSX lacks several critical security features that protect VS Code users:

Missing Security Controls:

• No automated malware scanning of submitted extensions
• Limited behavioral analysis during publication review
• Minimal monitoring for suspicious extension activity
• Insufficient vetting of publisher identities

What Microsoft’s Marketplace Provides:

• Sandboxed execution environment for testing extensions
• Automated scanning for malicious code patterns
• Anomaly detection for unusual extension behavior
• Comprehensive publisher verification process

This security gap isn’t a secret—it’s a known limitation that AI IDE users have accepted as the price of innovation. Unfortunately, cybercriminals have noticed this opportunity as well.

The Attack Chain: From Extension to Catastrophe

The malicious extension initiated a sophisticated, multi-stage attack that would make even experienced cybersecurity professionals wince:

Stage 1: Initial Infection

The extension’s extension.js file contained obfuscated code that contacted angelic[.]su/files/1.txt to download a PowerShell script. This script then:

• Disabled Windows Defender automatic submissions
• Added exclusion paths to prevent detection
• Established persistence via registry modifications

Stage 2: Remote Access Installation

The PowerShell script downloaded and installed ScreenConnect, a legitimate remote access application, configured to communicate with the attackers’ command and control server at relay.lmfao[.]su.

Stage 3: Data Exfiltration

Through ScreenConnect, the attackers deployed additional tools including:

• Browser credential stealers targeting cryptocurrency wallets
• Keyloggers to capture wallet passphrases
• File system scrapers looking for private keys and seed phrases

Stage 4: Financial Theft

With access to the victim’s cryptocurrency wallet credentials, the attackers systematically drained available funds—totaling approximately $500,000.

The Ranking Algorithm Exploit

One of the most concerning aspects of this attack was how the malicious extension achieved higher search rankings than the legitimate alternative. Open VSX’s ranking algorithm considers multiple factors:

• Download count
• User ratings
• Publication recency
• Publisher verification status

The attackers exploited the “recency” factor by updating their fake extension on June 15, 2025, while the legitimate extension hadn’t been updated since May 30, 2025. This gave their malicious package a ranking boost that placed it above the genuine tool.

Even more troubling, after the original fake extension was removed on July 2, 2025, the attackers published a new malicious package with the exact name “solidity”—but uploaded by “juanbIanco” instead of the legitimate publisher “juanblanco”. The lowercase ’l’ and uppercase ‘I’ are visually identical in many fonts, making the deception nearly perfect.

The Broader Threat Landscape

This incident isn’t isolated. Security researchers at Datadog discovered three additional malicious VS Code extensions (solaibot, among-eth, and blankebesxstnion) using similar attack patterns, all attributed to the same threat actor group designated MUT-9332.

These attacks share common characteristics:

• Targeting blockchain and cryptocurrency developers specifically
• Using legitimate-sounding domain names related to Solidity development
• Employing multiple obfuscation layers to evade detection
• Establishing persistence through browser extension injection

The targeting of blockchain developers isn’t coincidental—these professionals typically maintain high-value cryptocurrency wallets as part of their work, making them lucrative targets for financially motivated attackers.

Essential Security Measures for AI IDE Users

Immediate Actions

Extension Verification Protocol:

1. Always check the publisher’s identity and history
2. Verify download counts match the extension’s apparent popularity
3. Read reviews carefully, looking for complaints about missing functionality
4. Cross-reference with official project documentation when available

System Hardening:

• Enable comprehensive endpoint detection and response (EDR) solutions (EDR: security software that continuously monitors and responds to threats on endpoints like laptops and desktops)

Development Environment Security

Cursor AI Specific Precautions:

• Regularly audit installed extensions through Cursor Settings > Extensions
• Enable Cursor’s built-in security features where available
• Monitor network traffic for unusual outbound connections
• Implement least-privilege principles for development environments

Organisational Policies:

• Establish approval processes for installing development tools
• Maintain inventories of approved extensions and tools
• Implement network monitoring for suspicious PowerShell activity
• Provide security awareness training focused on supply chain threats

The Future of AI IDE Security

This incident highlights a critical gap in the AI development tool ecosystem. As AI-powered IDEs like Cursor, Windsurf, and others gain popularity, the security model must evolve to match the threat landscape.

Industry Response Required

Extension Marketplace Security:

• Implementation of automated malware scanning for Open VSX
• Enhanced publisher verification and identity validation
• Community-driven security reporting and response mechanisms
• Integration with threat intelligence feeds for rapid response

Tool Vendor Responsibilities:

• Development of AI IDE-specific security guidelines
• Integration of security scanning within the IDE environment
• Enhanced user education about extension security risks
• Collaboration with cybersecurity vendors for threat detection

Protecting Your Development Environment

The cryptocurrency industry’s rapid evolution has created new opportunities for both innovation and exploitation. As AI development tools become integral to blockchain development workflows, security must be treated as a fundamental requirement, not an afterthought.

Risk Assessment Framework

When evaluating any development tool or extension:

1. Source verification: Can you verify the publisher’s identity and reputation?
2. Functionality validation: Does the tool actually provide its advertised features?
3. Network behavior analysis: What external connections does the tool make?
4. Permission requirements: What system access does the tool request?
5. Community validation: Are there independent reviews and security assessments?

Detection and Response

If you suspect you’ve installed a malicious extension:

1. Immediate isolation: Disconnect the affected system from networks
2. Extension removal: Uninstall the suspicious extension immediately
3. System scanning: Run comprehensive malware scans with updated signatures
4. Credential rotation: Change all passwords and regenerate API keys
5. Wallet security: Move cryptocurrency assets to new, clean wallets

Conclusion

The Cursor AI security incident serves as a stark reminder that the tools meant to accelerate our development workflows can become vectors for sophisticated attacks. The loss of $500,000 to a single fake extension demonstrates the very real financial consequences of inadequate security practices in AI development environments.

Disclaimer: This article is for informational purposes only and does not constitute financial, legal, or cybersecurity advice. Cryptocurrency and software supply chain risks are rapidly evolving—always conduct your own research and consult a professional before making decisions that could impact your assets or organisation.

As we embrace AI-powered development tools, we must also embrace a security-first mindset. The convenience of one-click extension installation must be balanced against the potentially catastrophic consequences of supply chain attacks.

The cybersecurity industry has a responsibility to develop robust security frameworks for AI development tools, but individual developers and organisations cannot wait for perfect solutions. Implementing basic security hygiene—verification, monitoring, and isolation—can mean the difference between productive development and financial catastrophe.

The future of AI-powered development is bright, but only if we ensure it’s also secure. Don’t let the next $500,000 loss be yours.

Stay sharp, stay sceptical, and remember: in the world of AI, even your code editor can be a double agent.

External Resources

• Kaspersky: How installing a fake extension led to cryptocurrency theft
• Securelist: Technical analysis of the attack
• Datadog Security Labs: MUT-9332 threat actor analysis
• Microsoft: VS Code Extension Security Documentation
• Open VSX Registry