The Cursor IDE crypto theft incident has sent shockwaves through the developer community. A Russian blockchain developer recently lost around $500,000 in cryptocurrency. The loss stemmed from installing what appeared to be a helpful extension for smart contract development. Instead, the extension served as a backdoor for attackers.
This breach took place in June 2025. The developer was using Cursor, a popular AI-enhanced fork of Visual Studio Code. While working on Solidity-based blockchain projects, they searched for a language extension to support their coding environment. One result caught their attention: a “Solidity Language” extension hosted on the Open VSX registry.
Unfortunately, that extension was fake.
From Extension to Exploitation
Once installed, the malicious extension executed a PowerShell script. That script secretly installed ScreenConnect, a legitimate remote desktop tool often abused by cybercriminals. The attackers then gained full access to the developer’s system.
Within hours, they deployed Quasar RAT and PureLogs stealer, tools designed to collect sensitive information. These malware strains quietly extracted browser data, autofill credentials, and even the developer’s crypto wallet seed phrases. By the time the developer noticed anything suspicious, the funds were gone.
The attackers transferred an estimated $500,000 worth of cryptocurrency out of the victim’s wallet. There was no chance of recovery.
How the Attack Fooled Thousands
One reason the scam worked so well was how convincingly the extension mimicked legitimate ones. It used a nearly identical publisher name, swapping an “l” with an uppercase “I” to pass as “juanblanco,” the name of a real Solidity maintainer.
The extension also displayed an impressive install count, initially showing over 54,000 downloads. This number boosted user trust and pushed the extension higher in search results. When removed, it resurfaced under a different name (simply “solidity”) and rapidly gained over 2 million downloads. That’s more than the real one.
Part of the problem lies in how the Open VSX registry ranks and displays extensions. It emphasizes recent updates and download numbers, not verified publisher identities. This allowed the attacker to climb the rankings without raising red flags.
Security Lessons for Developers
The Cursor IDE crypto theft highlights a deeper issue in the developer ecosystem. Tools like VSCode and its forks have become essential, but their extension marketplaces are not equally secure. While Microsoft’s official VSCode Marketplace performs verification checks, Open VSX, used by Cursor, does not enforce the same standards.
Developers need to treat extensions like any other software dependency. That means checking the publisher’s authenticity, inspecting code when possible, and avoiding tools that appear suspicious. Even if they look popular. Visual similarity in names can be deceptive, and inflated download counts are easy to fabricate.
Security software also plays a vital role. Endpoint protection tools that detect remote access, data theft, and suspicious script execution could have stopped the attack early. Without them, even tech-savvy users are at risk.
Final Thoughts
The Cursor IDE crypto theft serves as a wake-up call. It shows how a single extension can compromise not just a machine, but an entire digital wallet. As more developers embrace AI-assisted coding tools and alternative IDEs, attackers will continue to look for weak spots in the supply chain.
Staying safe means asking hard questions about the tools we trust. Just because an extension appears helpful doesn’t mean it is. And just because an IDE is smart doesn’t mean it’s secure.
If it can happen to a blockchain expert, it can happen to anyone.
