The Solidity Language open-source package was used in a $500,000 crypto heist

July 16, 2025, 7:45 p.m.

Description

A blockchain developer in Russia lost $500,000 in crypto assets due to a malicious Solidity Language extension for Cursor AI IDE. The fake extension, downloaded 54,000 times, appeared higher in search results than the legitimate one due to ranking algorithms. It installed malware that allowed remote access and data theft. The attackers used ScreenConnect for remote control and deployed various scripts to steal wallet passphrases. A new malicious package was published shortly after the first was removed, with an inflated download count of 2 million. Similar attacks were found targeting blockchain developers through other extensions and npm packages. The incident highlights the ongoing threat of malicious open-source packages in the crypto industry.

External References

https://securelist.com/open-source-package-for-cursor-ai-turned-into-a-crypto-heist/116908
https://otx.alienvault.com/pulse/6877cefdf99ce3c2912e8daa
Tags
screenconnect
cryptocurrency
data theft
developers
open-source
quasar
blockchain
2025-07-11
heur:trojan-psw.msil.purelogs.gen
vmdetector
solidity
cursor ai
malicious extension
2025-07-16

Date

  • Created: July 16, 2025, 4:10 p.m.
  • Published: July 16, 2025, 4:10 p.m.
  • Modified: July 16, 2025, 7:45 p.m.

Attack Patterns