๐จ Another security incident: Malicious IDE Extension ๐จ
In August 10th, a crypto developerโs wallet was drained after installing a malicious Solidity extension from the Open VSX registry via Cursor AI (!!!).
Investigation revealed it was part of a broader supply chain attack targeting crypto developers, with over $500k stolen in similar cases (both in Windows and MacOS).
Extensions in VS Code, Cursor (even Vim/Neovim) can run arbitrary code with full user permissions. Open VSX has weaker verification than Microsoftโs Marketplace.
The malicious extension had 54k downloads but was only days old.
Attackers accessed sensitive files, API keys, browser data, and synced cloud content.
Here are a few things that could have prevented it:
๐ check the extension release date: old & stable beats new & suspicious
๐ watch for typosquatted publisher names: someone used "juan-bIanco" to impersonate the true author "juanblanco"
๐ copy publisher/extension names to plain text editor with clear font (Times New Roman) as that makes typosquatting substitution obvious (ex.: Cyrillic letters that look like Roman characters, capital I in place of lowercase L, etc)
๐ high downloads and no reviews is a major red flag
๐ "Trusted" extension status is no longer to be trusted
๐ treat all extensions as potential attack vectors
๐ that includes AI extensions - watch what it is doing and do not give it free reign over your machine
#CyberSecurity #SupplyChainAttack #VSCode #OpenVSX #DeveloperSecurity #Web3Security #InfoSec


