{"id":398926,"date":"2025-07-18T15:08:40","date_gmt":"2025-07-18T09:38:40","guid":{"rendered":"https:\/\/dripp.zone\/news\/malicious-code-found-in-fake-coding-extensions-used-to-steal-crypto-crypto-news\/"},"modified":"2025-07-18T15:13:07","modified_gmt":"2025-07-18T09:43:07","slug":"malicious-code-found-in-fake-coding-extensions-used-to-steal-crypto-crypto-news","status":"publish","type":"post","link":"https:\/\/dripp.zone\/news\/malicious-code-found-in-fake-coding-extensions-used-to-steal-crypto-crypto-news\/","title":{"rendered":"Malicious code found in fake coding extensions used to steal crypto &#8211; Crypto News"},"content":{"rendered":"<p><\/p>\n<div style=\"text-align:justify;\">\n<p>Security researchers have found <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/securelist.com\/open-source-package-for-cursor-ai-turned-into-a-cryptocurrency-heist\/116908\/\">open-source packages<\/a> targeting developers with malware that steals cryptocurrency. The packages were hosted on the Open VSX repository disguised as tools for working with Solidity, a programming language used in blockchain development. They delivered malware that gave attackers control over victims\u2019 devices and access to sensitive data.<\/p>\n<p>The packages were meant to work with Cursor, a development environment based on Visual Studio Code. Cursor is often used for AI-assisted coding, making it a natural target for attackers looking to reach developers.<\/p>\n<p>Kaspersky\u2019s Global Research and Analysis Team uncovered the issue after a Russian blockchain developer reported an incident. The developer had installed what looked like a regular Solidity extension. Instead, it gave hackers access to his computer. They used that access to steal around $500,000 in cryptocurrency.<\/p>\n<p>The attackers made their fake extension appear more trustworthy by pushing it higher in the repository\u2019s search results by spoofing download numbers \u2013 pegging it at 54,000 installs. After being installed, the extension didn\u2019t do anything useful. Instead, it installed ScreenConnect, a remote access tool that gave attackers full control of the machine.<\/p>\n<p>From there, the attackers deployed Quasar, an open-source backdoor, along with a stealer tool. The combination collected data from the victim\u2019s web browsers, email apps, and cryptocurrency wallets, including wallet seed phrases \u2013 critical information that allowed the attackers to drain accounts.<\/p>\n<p>Once the original malicious extension was taken down, the attacker reuploaded it and faked more installs \u2013 this time claiming two million downloads (the real version of the extension had around 61,000 downloads by comparison). Kaspersky has flagged the fake version again for removal.<\/p>\n<p>Georgy Kucherin, a researcher at Kaspersky, said these kinds of attacks are getting harder to spot. Even experienced developers who understand cybersecurity risks can fall for them, especially in fields like blockchain.<\/p>\n<p>In addition to the fake Solidity extension, the attacker uploaded a malicious NPM package called <code>solsafe<\/code>, which also delivered ScreenConnect. A few months before that, three other harmful Visual Studio Code extensions \u2013 <code>solaibot<\/code>, <code>among-eth<\/code>, and <code>blankebesxstnion<\/code> \u2013 were uploaded to the same repository. Those have since been removed.<\/p>\n<p>The attacks highlight how public code repositories are a growing threat vector, especially for developers working in sensitive fields like cryptocurrencies. Malicious packages disguised as helpful tools are proving to be a simple but effective way for attackers to gain access to high-value targets.<\/p>\n<p><strong>See also: <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/blockchaintechnology-news.com\/news\/Bitcoin-rise-puts-cloud-mining-back-in-the-spotlight\/\">Bitcoin\u2019s rise puts cloud mining back on the table<\/a><\/strong><\/p>\n<p class=\"tags\"><span class=\"tags-title\">Tags:<\/span> <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/blockchaintechnology-news.com\/news\/tag\/blockchain\/\" rel=\"tag\">blockchain<\/a>, <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/blockchaintechnology-news.com\/news\/tag\/crypto\/\" rel=\"tag\">crypto<\/a>, <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/blockchaintechnology-news.com\/news\/tag\/crypto-hack\/\" rel=\"tag\">crypto hack<\/a>, <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/blockchaintechnology-news.com\/news\/tag\/cryptocurrency\/\" rel=\"tag\">cryptocurrency<\/a>, <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/blockchaintechnology-news.com\/news\/tag\/cybersecurity\/\" rel=\"tag\">cybersecurity<\/a><\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Security researchers have found open-source packages targeting developers with malware that steals cryptocurrency. The packages were hosted on the Open VSX repository disguised as tools for working with Solidity, a programming language used in blockchain development. They delivered malware that gave attackers control over victims\u2019 devices and access to sensitive data. The packages were meant [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":398929,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[188,183,185,186,187,184,189,150,182,190],"class_list":["post-398926","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology","tag-blockchain-tech","tag-blockchain-technology","tag-crypto-technology","tag-cryptocurrency-technology","tag-metaverse-technology","tag-nft-technology","tag-soul-bound-token","tag-tech","tag-technology","tag-token-technology"],"_links":{"self":[{"href":"https:\/\/dripp.zone\/news\/wp-json\/wp\/v2\/posts\/398926","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dripp.zone\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dripp.zone\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dripp.zone\/news\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/dripp.zone\/news\/wp-json\/wp\/v2\/comments?post=398926"}],"version-history":[{"count":1,"href":"https:\/\/dripp.zone\/news\/wp-json\/wp\/v2\/posts\/398926\/revisions"}],"predecessor-version":[{"id":398930,"href":"https:\/\/dripp.zone\/news\/wp-json\/wp\/v2\/posts\/398926\/revisions\/398930"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dripp.zone\/news\/wp-json\/wp\/v2\/media\/398929"}],"wp:attachment":[{"href":"https:\/\/dripp.zone\/news\/wp-json\/wp\/v2\/media?parent=398926"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dripp.zone\/news\/wp-json\/wp\/v2\/categories?post=398926"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dripp.zone\/news\/wp-json\/wp\/v2\/tags?post=398926"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}