Security researchers at Kaspersky have uncovered a sophisticated attack targeting developers using the Cursor AI-integrated coding environment. Tricking users into installing what appeared to be legitimate Solidity language extensions from the open-source Open VSX repository, the attackers deployed malicious packages that secretly downloaded remote-access malware and cryptocurrency-stealing tools.

In one notable case, a blockchain developer from Russia lost approximately $500,000 in cryptocurrency after installing a counterfeit “Solidity Language” extension. Once installed, the malicious code launched a PowerShell script to install ScreenConnect—a remote access tool—alongside the Quasar backdoor and a browser stealer. These tools were used to extract wallet keys and authentication credentials directly from the developer’s machine.

The perpetrators engineered the attack to appear more legitimate by artificially inflating download counts—initially reaching 54,000 installs, and then nearly 2 million—for fake extensions to outpace authentic ones in search results. Multiple variants, including “solsafe,” “solaibot,” and “among‑eth,” have since been removed after Kaspersky’s intervention.

Kaspersky warns that it is increasingly difficult to distinguish genuine extensions from malicious ones, even for experienced developers. Experts recommend deploying specialized security tools to monitor open-source dependencies, verifying package authenticity by assessing maintainer credibility, and remaining vigilant about unexpected behaviors during installation.

This incident highlights a growing trend of supply-chain attacks targeting developer tools and repositories. As coding environments become more accessible and AI-assisted, security must extend beyond code quality to include the integrity of development platforms themselves. In this case, a single compromised extension became the gateway for a large-scale financial loss—underscoring the urgent need for robust cybersecurity practices at every stage of software development.