Back to LinkedIn posts

LinkedIn post 159

๐Ÿšจ Another security incident: Malicious IDE Extension ๐Ÿšจ

๐Ÿšจ Another security incident: Malicious IDE Extension ๐Ÿšจ

In August 10th, a crypto developerโ€™s wallet was drained after installing a malicious Solidity extension from the Open VSX registry via Cursor AI (!!!).

Investigation revealed it was part of a broader supply chain attack targeting crypto developers, with over $500k stolen in similar cases (both in Windows and MacOS).

Extensions in VS Code, Cursor (even Vim/Neovim) can run arbitrary code with full user permissions. Open VSX has weaker verification than Microsoftโ€™s Marketplace.

The malicious extension had 54k downloads but was only days old.
Attackers accessed sensitive files, API keys, browser data, and synced cloud content.

Here are a few things that could have prevented it:

๐Ÿ‘‰ check the extension release date: old & stable beats new & suspicious
๐Ÿ‘‰ watch for typosquatted publisher names: someone used "juan-bIanco" to impersonate the true author "juanblanco"
๐Ÿ‘‰ copy publisher/extension names to plain text editor with clear font (Times New Roman) as that makes typosquatting substitution obvious (ex.: Cyrillic letters that look like Roman characters, capital I in place of lowercase L, etc)
๐Ÿ‘‰ high downloads and no reviews is a major red flag
๐Ÿ‘‰ "Trusted" extension status is no longer to be trusted
๐Ÿ‘‰ treat all extensions as potential attack vectors
๐Ÿ‘‰ that includes AI extensions - watch what it is doing and do not give it free reign over your machine

#CyberSecurity #SupplyChainAttack #VSCode #OpenVSX #DeveloperSecurity #Web3Security #InfoSec

๐Ÿšจ Another security incident: Malicious IDE Extension ๐Ÿšจ
๐Ÿšจ Another security incident: Malicious IDE Extension ๐Ÿšจ
๐Ÿšจ Another security incident: Malicious IDE Extension ๐Ÿšจ
  • #CyberSecurity
  • #SupplyChainAttack
  • #VSCode
  • #OpenVSX
  • #DeveloperSecurity
  • #Web3Security
  • #InfoSec