Weaponized AI Extension Used by Hackers to Swipe $500,000 in Crypto

Weaponized AI Extension Used by Hackers to Swipe $500,000 in Crypto

A Russian blockchain engineer lost over $500,000 in cryptocurrency holdings in June 2025 after being the victim of a carefully planned cyberattack, serving as a terrifying reminder of the perils that might exist in open-source ecosystems.

The attack, investigated by cybersecurity experts, revealed the use of a malicious extension disguised as a legitimate tool for the Cursor AI IDE, a Visual Studio Code-based environment tailored for AI-assisted development.

A Sophisticated Attack on Blockchain Developers

This incident underscores the growing threat of weaponized open-source packages, with repositories like PyPI, npm, and Open VSX increasingly becoming hunting grounds for cybercriminals targeting high-value individuals such as crypto developers.

The attack vector was a fake extension named “Solidity Language,” ostensibly designed for syntax highlighting of Solidity smart contract code.

Hosted on the Open VSX registry, the extension boasted 54,000 downloads likely inflated and exploited the registry’s ranking algorithm, which prioritizes factors like recency alongside download counts.

Updated on June 15, 2025, the malicious extension outranked its legitimate counterpart (last updated May 30, 2025), appearing higher in search results for “solidity” and deceiving the vigilant developer into installing it.

Malicious Payloads Unleashed

Instead of delivering the promised functionality, the extension executed a devastating chain of malicious operations.

It downloaded PowerShell scripts from a dubious server at angelic[.]su, which facilitated the installation of ScreenConnect remote management software for attacker control via relay.lmfao[.]su.

The PowerShell script contents

Subsequent scripts unleashed the Quasar backdoor and a stealer malware (detected as HEUR:Trojan-PSW.MSIL.PureLogs.gen by Kaspersky), ultimately siphoning passphrases from the victim’s crypto wallets.

The sophistication didn’t end there. Even after the original malicious extension was removed on July 2, 2025, the attackers swiftly uploaded a new version under the exact name “solidity,” mimicking the legitimate developer’s username with a subtle typo (juanbIanco vs. juanblanco).

With an implausible two million downloads, it sat alongside the authentic extension in search results, exploiting visual similarities to mislead users further.

Additional malicious packages like “solsafe” on npm and other VS Code extensions (solaibot, among-eth, blankebesxstnion) were uncovered, employing near-identical infection methods, revealing a broader campaign targeting blockchain professionals.

According to the Report, these attacks consistently leveraged obfuscated scripts from paste.ee and payloads hidden in images on archive.org, highlighting a systematic and persistent threat.

This incident is a stark warning for the crypto industry, heavily reliant on open-source tools. Developers must exercise extreme caution, verify package authenticity, and inspect source code for discrepancies.

Modern cybersecurity solutions could have thwarted this attack, emphasizing the need for robust defenses even among seasoned professionals.

As malicious packages proliferate, vigilance and advanced protections remain critical to safeguarding digital assets in this high-stakes domain.

Indicators of Compromise (IoC)

Type Indicator
File Hashes (JS Files) 2c471e265409763024cdc33579c84d88d5aaf9aea1911266b875d3b7604a0eeb, etc.
Network Indicators https://angelic[.]su/files/1.txt, https://relay.lmfao[.]su, 144.172.112[.]84

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.


Source link