Cursor AI Security Alert: $500k Crypto Theft via Fake Extensions
The AI-powered development revolution has a dark side that’s just cost one unlucky developer roughly $500,000. In June 2025, a sophisticated supply chain attack targeting Cursor AI users demonstrated how the very tools meant to boost our productivity can become vectors for catastrophic financial loss. Here’s what every developer using AI IDEs needs to know to stay safe.
Note: A “supply chain attack” is when attackers compromise software or tools that developers trust, inserting malicious code or components before they reach the end user.
Key Findings
• Massive financial impact: A single developer lost approximately $500,000 in cryptocurrency to attackers exploiting fake extensions Source: Kaspersky • Open VSX vulnerability: The marketplace used by Cursor AI lacks the rigorous security screening of Microsoft’s official VS Code marketplace • Search algorithm manipulation: Malicious extensions outranked legitimate ones through clever exploitation of ranking factors • Sophisticated attack chain: Multi-stage infection involving PowerShell scripts, remote access tools, and data exfiltration • Ongoing threat: Similar attacks continue targeting blockchain developers across multiple platforms
The $500,000 Heist: How It Happened
In June 2025, a Russian blockchain developer contacted Kaspersky’s security team with a devastating story. Despite running a freshly installed system with only essential applications, he’d lost around $500,000 in cryptocurrency assets. The culprit? A seemingly innocent Solidity syntax highlighting extension for Cursor AI.
The developer had searched Open VSX—the extension marketplace that Cursor AI users must rely on—for “solidity” to find a code highlighting tool. What he got instead was a sophisticated piece of malware disguised as a legitimate development tool.
The Fake Extension That Fooled Thousands
The malicious “Solidity Language” extension appeared fourth in search results, despite having fewer downloads (54,000) than the legitimate extension (61,000) that ranked eighth. This wasn’t an accident—it was a carefully orchestrated manipulation of Open VSX’s ranking algorithm.
The fake extension promised:
- Advanced syntax highlighting for Solidity code
- Smart contract optimisation features
- Enhanced development workflows
In reality, it delivered none of these features. Instead, it immediately began downloading and executing malicious PowerShell scripts from remote servers.
Why Cursor AI Users Are at Risk
The root of this vulnerability lies in the fundamental difference between AI-powered IDEs like Cursor and traditional development environments. While VS Code users benefit from Microsoft’s official marketplace with comprehensive security scanning, Cursor AI users must rely on the open-source Open VSX marketplace.
The Open VSX Security Gap
Open VSX lacks several critical security features that protect VS Code users:
Missing Security Controls:
- No automated malware scanning of submitted extensions
- Limited behavioral analysis during publication review
- Minimal monitoring for suspicious extension activity
- Insufficient vetting of publisher identities
What Microsoft’s Marketplace Provides:
- Sandboxed execution environment for testing extensions
- Automated scanning for malicious code patterns
- Anomaly detection for unusual extension behavior
- Comprehensive publisher verification process
This security gap isn’t a secret—it’s a known limitation that AI IDE users have accepted as the price of innovation. Unfortunately, cybercriminals have noticed this opportunity as well.
The Attack Chain: From Extension to Catastrophe
The malicious extension initiated a sophisticated, multi-stage attack that would make even experienced cybersecurity professionals wince:
Stage 1: Initial Infection
The extension’s extension.js
file contained obfuscated code that contacted angelic[.]su/files/1.txt
to download a PowerShell script. This script then:
- Disabled Windows Defender automatic submissions
- Added exclusion paths to prevent detection
- Established persistence via registry modifications
Stage 2: Remote Access Installation
The PowerShell script downloaded and installed ScreenConnect, a legitimate remote access application, configured to communicate with the attackers’ command and control server at relay.lmfao[.]su
.
Stage 3: Data Exfiltration
Through ScreenConnect, the attackers deployed additional tools including:
- Browser credential stealers targeting cryptocurrency wallets
- Keyloggers to capture wallet passphrases
- File system scrapers looking for private keys and seed phrases
Stage 4: Financial Theft
With access to the victim’s cryptocurrency wallet credentials, the attackers systematically drained available funds—totaling approximately $500,000.
The Ranking Algorithm Exploit
One of the most concerning aspects of this attack was how the malicious extension achieved higher search rankings than the legitimate alternative. Open VSX’s ranking algorithm considers multiple factors:
- Download count
- User ratings
- Publication recency
- Publisher verification status
The attackers exploited the “recency” factor by updating their fake extension on June 15, 2025, while the legitimate extension hadn’t been updated since May 30, 2025. This gave their malicious package a ranking boost that placed it above the genuine tool.
Even more troubling, after the original fake extension was removed on July 2, 2025, the attackers published a new malicious package with the exact name “solidity”—but uploaded by “juanbIanco” instead of the legitimate publisher “juanblanco”. The lowercase ’l’ and uppercase ‘I’ are visually identical in many fonts, making the deception nearly perfect.
The Broader Threat Landscape
This incident isn’t isolated. Security researchers at Datadog discovered three additional malicious VS Code extensions (solaibot
, among-eth
, and blankebesxstnion
) using similar attack patterns, all attributed to the same threat actor group designated MUT-9332.
These attacks share common characteristics:
- Targeting blockchain and cryptocurrency developers specifically
- Using legitimate-sounding domain names related to Solidity development
- Employing multiple obfuscation layers to evade detection
- Establishing persistence through browser extension injection
The targeting of blockchain developers isn’t coincidental—these professionals typically maintain high-value cryptocurrency wallets as part of their work, making them lucrative targets for financially motivated attackers.
Essential Security Measures for AI IDE Users
Immediate Actions
Extension Verification Protocol:
- Always check the publisher’s identity and history
- Verify download counts match the extension’s apparent popularity
- Read reviews carefully, looking for complaints about missing functionality
- Cross-reference with official project documentation when available
System Hardening:
- Enable comprehensive endpoint detection and response (EDR) solutions (EDR: security software that continuously monitors and responds to threats on endpoints like laptops and desktops)
Development Environment Security
Cursor AI Specific Precautions:
- Regularly audit installed extensions through Cursor Settings > Extensions
- Enable Cursor’s built-in security features where available
- Monitor network traffic for unusual outbound connections
- Implement least-privilege principles for development environments
Organisational Policies:
- Establish approval processes for installing development tools
- Maintain inventories of approved extensions and tools
- Implement network monitoring for suspicious PowerShell activity
- Provide security awareness training focused on supply chain threats
The Future of AI IDE Security
This incident highlights a critical gap in the AI development tool ecosystem. As AI-powered IDEs like Cursor, Windsurf, and others gain popularity, the security model must evolve to match the threat landscape.
Industry Response Required
Extension Marketplace Security:
- Implementation of automated malware scanning for Open VSX
- Enhanced publisher verification and identity validation
- Community-driven security reporting and response mechanisms
- Integration with threat intelligence feeds for rapid response
Tool Vendor Responsibilities:
- Development of AI IDE-specific security guidelines
- Integration of security scanning within the IDE environment
- Enhanced user education about extension security risks
- Collaboration with cybersecurity vendors for threat detection
Protecting Your Development Environment
The cryptocurrency industry’s rapid evolution has created new opportunities for both innovation and exploitation. As AI development tools become integral to blockchain development workflows, security must be treated as a fundamental requirement, not an afterthought.
Risk Assessment Framework
When evaluating any development tool or extension:
- Source verification: Can you verify the publisher’s identity and reputation?
- Functionality validation: Does the tool actually provide its advertised features?
- Network behavior analysis: What external connections does the tool make?
- Permission requirements: What system access does the tool request?
- Community validation: Are there independent reviews and security assessments?
Detection and Response
If you suspect you’ve installed a malicious extension:
- Immediate isolation: Disconnect the affected system from networks
- Extension removal: Uninstall the suspicious extension immediately
- System scanning: Run comprehensive malware scans with updated signatures
- Credential rotation: Change all passwords and regenerate API keys
- Wallet security: Move cryptocurrency assets to new, clean wallets
Conclusion
The Cursor AI security incident serves as a stark reminder that the tools meant to accelerate our development workflows can become vectors for sophisticated attacks. The loss of $500,000 to a single fake extension demonstrates the very real financial consequences of inadequate security practices in AI development environments.
Disclaimer: This article is for informational purposes only and does not constitute financial, legal, or cybersecurity advice. Cryptocurrency and software supply chain risks are rapidly evolving—always conduct your own research and consult a professional before making decisions that could impact your assets or organisation.
As we embrace AI-powered development tools, we must also embrace a security-first mindset. The convenience of one-click extension installation must be balanced against the potentially catastrophic consequences of supply chain attacks.
The cybersecurity industry has a responsibility to develop robust security frameworks for AI development tools, but individual developers and organisations cannot wait for perfect solutions. Implementing basic security hygiene—verification, monitoring, and isolation—can mean the difference between productive development and financial catastrophe.
The future of AI-powered development is bright, but only if we ensure it’s also secure. Don’t let the next $500,000 loss be yours.
Stay sharp, stay sceptical, and remember: in the world of AI, even your code editor can be a double agent.