Home AI Hackers Steal $500K in Crypto Using Malicious AI Browser Extension

Hackers Steal $500K in Crypto Using Malicious AI Browser Extension

0

A sophisticated cyberattack has resulted in the theft of approximately $500,000 in cryptocurrency from a Russian blockchain developer, highlighting the persisting and evolving threats posed by malicious open-source packages.

Despite increased awareness and vigilance among the developer community, attackers continue to exploit public repositories and ranking algorithms to trick even experienced users into installing malicious software.

Fraudulent Extension Exploits

The incident came to light in June 2025, when the victim an experienced developer who had recently reinstalled his operating system and only used essential, well-known applications noticed his crypto assets had been drained, despite rigorous attention to cybersecurity.

Investigators traced the breach to a Visual Studio Code-compatible extension called “Solidity Language” for the Cursor AI IDE, a productivity-boosting tool for smart contract developers.

The extension, distributed via the Open VSX registry, masqueraded as a legitimate code highlighting tool but was, in reality, a vehicle for remote code execution.

Upon installation, the rogue extension executed a JavaScript file, extension.js, which connected to a malicious web server to download and run PowerShell scripts.

The PowerShell script contents

These scripts, in turn, installed the legitimate remote management tool ScreenConnect, granting the attackers persistent remote access to the compromised system.

The attackers leveraged this access to deploy additional VBScripts, which fetched further payloads including the Quasar open-source backdoor and a stealer module capable of siphoning credentials and wallet passphrases from browsers, email clients, and crypto wallets.

Blockchain Developers Targeted

The ruse was convincing: the malicious extension appeared near the top of search results within the extension marketplace, thanks to a ranking algorithm that weighted recency and apparent activity over simple download counts.

The attackers also copied descriptions from legitimate packages to further blur the line between authentic and malicious offerings.

When the fake extension failed to provide its promised functionality, the victim initially assumed it was a bug, allowing the malware to persist undetected.

In a further twist, after the malicious package was removed from the store, the threat actors quickly published a new clone named “solidity,” using sophisticated impersonation tactics.

The malicious publisher’s name differed by only a single character an uppercase “I” in place of a lowercase “l” a distinction almost impossible to spot due to font rendering.

Download counts for the fake extension were artificially inflated to two million in an attempt to outshine the legitimate tool, making the correct choice difficult for users.

The campaign did not end there; similar attack methodologies were identified in additional malicious packages on both the Open VSX registry and npm, targeting blockchain developers through recognizably named extensions and packages.

Each infection chain followed a familiar pattern: executing PowerShell scripts, downloading additional malware, and establishing communication with attacker-controlled command-and-control servers.

This incident underscores the enduring risks of supply-chain attacks in the open-source ecosystem.

Security experts recommend that developers use commercial-grade endpoint protection, rigorously verify extension authorship, scrutinize unexpected behaviors, and inspect downloaded source code for anomalies.

The case serves as a stark reminder that even seasoned developers can fall victim to well-concealed threats in public repositories.

Indicators of Compromise (IOC)

TypeIndicator
JS Hash2c471e265409763024cdc33579c84d88d5aaf9aea1911266b875d3b7604a0eeb
JS Hash404dd413f10ccfeea23bfb00b0e403532fa8651bfb456d84b6a16953355a800a
JS Hash70309bf3d2aed946bba51fc3eedb2daa3e8044b60151f0b5c1550831fbc6df17
JS Hash84d4a4c6d7e55e201b20327ca2068992180d9ec08a6827faa4ff3534b96c3d6f
JS Hasheb5b35057dedb235940b2c41da9e3ae0553969f1c89a16e3f66ba6f6005c6fa8
JS Hashf4721f32b8d6eb856364327c21ea3c703f1787cfb4c043f87435a8876d903b2c
URLhttps://angelic[.]su/files/1.txt
URLhttps://angelic[.]su/files/2.txt
URLhttps://staketree[.]net/1.txt
URLhttps://staketree[.]net/2.txt
URLhttps://relay.lmfao[.]su
URLhttps://lmfao[.]su/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest
IP Address144.172.112[.]84

Find this Story Interesting! Follow us on Google NewsLinkedIn, and X to Get More Instant updates

NO COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Exit mobile version