Full Report
A fake extension for the Cursor AI IDE code editor infected devices with remote access tools and infostealers, which, in one case, led to the theft of $500,000 in cryptocurrency from a Russian crypto developer. [...]
Analysis Summary
# Incident Report: Malicious VSCode Extension Leads to Crypto Theft
## Executive Summary
An attacker successfully installed a malicious Visual Studio Code (VSCode) extension within the Cursor IDE (an IDE built on VSCode) by exploiting search result ranking manipulation. This resulted in the unauthorized installation of malware, leading to the theft of approximately $500,000 in cryptocurrency from a victim. The incident highlights the significant risks posed by compromised or malicious packages in software development supply chains.
## Incident Details
- **Discovery Date:** Not explicitly stated, but related to the reporting of the malicious activity.
- **Incident Date:** Not explicitly stated, but occurred prior to the public reporting/detection.
- **Affected Organization:** Not publicly disclosed (individual victim implied by crypto theft).
- **Sector:** Technology/Software Development (Targeting developers using IDE extensions).
- **Geography:** Not disclosed.
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown.
- **Vector:** Malicious VSCode Extension masquerading as a legitimate tool within the Cursor IDE marketplace/repository.
- **Details:** Threat actors inflated the download count of their malicious extension to rank it higher than the legitimate counterpart in Open VSX search results, tricking the victim into installation.
### Lateral Movement
- Details regarding internal lateral movement within the victim's network are not provided in the context summary. The focus is on the initial compromise via the extension.
### Data Exfiltration/Impact
- **Details:** Stolen assets included approximately $500,000 worth of cryptocurrency. The mechanism involved the deployed malware stealing sensitive information (likely private keys or wallet credentials).
### Detection & Response
- **How it was discovered:** Research conducted by Kaspersky identified the malicious activity and associated fake extensions.
- **Response actions taken:** Kaspersky identified and reported the threat. Related malicious extensions were likely removed from marketplaces following disclosure.
## Attack Methodology
- **Initial Access:** Installation of a malicious VSCode extension within the Cursor IDE environment.
- **Persistence:** Malware installed via a post-installation PowerShell script (implied, as ScreenConnect was deployed).
- **Privilege Escalation:** Not explicitly detailed, but execution on the victim's machine was achieved through the trusted IDE/extension mechanism.
- **Defense Evasion:** Leveraging high search rankings (via inflated download counts) to appear legitimate.
- **Credential Access:** Implied that credentials related to cryptocurrency wallets were accessed.
- **Discovery:** The malicious extension likely performed internal reconnaissance or directly targeted wallet/credential files post-installation.
- **Lateral Movement:** Not detailed.
- **Collection:** Gathering of cryptocurrency wallet credentials/keys.
- **Exfiltration:** Transfer of stolen cryptocurrency to attacker-controlled wallets.
- **Impact:** Financial loss of $500,000.
## Impact Assessment
- **Financial:** Approximately $500,000 in cryptocurrency stolen.
- **Data Breach:** Cryptocurrency wallet credentials/private keys were compromised.
- **Operational:** Not specifically detailed, but development environment integrity was compromised.
- **Reputational:** Potential loss of trust in open-source repositories and specific IDEs/extensions.
## Indicators of Compromise
- **Network indicators:** Not provided (URLs/IPs defanged).
- **File indicators:** Associated files/scripts related to the threat actors' PowerShell payload, ScreenConnect, and infostealers (specific hashes not provided).
- **Behavioral indicators:** Installation of suspicious VSCode extensions with suspiciously high download counts; execution of automated PowerShell scripts post-extension install. (Other related extensions noted: "solaibot", "among-eth", and "blankebesxstnion").
## Response Actions
- **Containment measures:** Removal/disabling of the malicious extension(s) from marketplaces.
- **Eradication steps:** Presumably, the victim needed to secure all systems that had the malicious extension installed, revoke any compromised credentials, and remove deployed tools like ScreenConnect and infostealers.
- **Recovery actions:** Restoration of affected cryptocurrency accounts (if possible) and improved credential management.
## Lessons Learned
- Inflated download counts and deceptive ranking algorithms in open repositories (like Open VSX) can effectively trick users into installing malware.
- Software supply chain risks are significantly amplified when relying on packages from open, less-vetted sources, even within reputable IDE environments (like Cursor built on VSCode).
- Misleading package promotion tactics remain an effective social engineering technique against developers.
## Recommendations
- Developers must exercise extreme caution when downloading packages from third-party or open repositories, even if they appear popular or well-ranked.
- Always verify the source code and package authorship if a tool does not behave exactly as advertised after installation.
- IDE platforms and marketplace operators should implement stricter verification processes to prevent download count manipulation and the promotion of malicious packages.