Cybersecurity researchers from Kaspersky’s Global Research and Analysis Team (GReAT) have exposed a targeted cryptocurrency heist involving malicious Visual Studio Code extensions designed to deceive developers using the Cursor development environment.

A Russian blockchain developer reportedly lost US$500,000 in crypto assets after installing a fake Solidity language extension from the Open VSX repository. The extension, claiming to support Solidity, in fact downloaded ScreenConnect malware and deployed the Quasar backdoor along with a stealer targeting browsers, email clients and crypto wallets.

The attacker manipulated download statistics to rank the malicious extension above legitimate ones, inflating installations from 54,000 to over 2 million, while the genuine package stood at just 61,000. After removal, the attacker republished the same malicious extension, continuing the campaign.

Kaspersky confirmed that several other malicious packages, including solsafe, solaibot, among-eth, and blankebesxstnion, were also used to distribute ScreenConnect and have since been taken down.

“Even experienced developers in blockchain are now being actively targeted,” said Georgy Kucherin, Security Researcher at Kaspersky GReAT. “Threat actors are leveraging increasingly deceptive tactics. Developers must use dedicated security solutions and vet package maintainers thoroughly.”

Kaspersky recommends that companies implement tools to monitor open-source components, verify package authenticity, and remain updated on emerging cybersecurity threats. The full report is available on Securelist.com.