Cursor AI IDE Hacked: Fraudulent Extension Steals $500K in Crypto from Russian Developer
Ddos 
A fraudulent extension for the Cursor AI IDE—an editor built upon Microsoft’s open-source Visual Studio Code—was used to compromise the device of a Russian cryptocurrency developer, ultimately resulting in the theft of $500,000 in digital assets through the deployment of remote access tools and infostealers.
Cursor AI, which supports the alternative Open VSX marketplace, allows users to install extensions beyond the official Visual Studio Code ecosystem. This flexibility, however, became a vector for exploitation.
Cybersecurity firm Kaspersky recently received a report requesting investigation into a security incident. The affected developer, whose computer lacked antivirus protection but was believed to be uncompromised, claimed to have lost half a million dollars in cryptocurrency.
After obtaining a disk image of the machine, Kaspersky’s analysts uncovered a malicious file named extensions.js within the .cursor\extensions directory. This file originated from a counterfeit Solidity Language extension hosted on the Open VSX marketplace. Masquerading as a legitimate tool for Ethereum smart contract syntax highlighting (a function it did in fact perform), the extension covertly downloaded PowerShell scripts from a remote server, subsequently executing multiple malicious payloads.
It is important to note that the breach did not stem from vulnerabilities in the Cursor AI IDE itself, nor from flaws in Microsoft Visual Studio Code or its official extension marketplace. Rather, it was the result of the developer inadvertently installing a malicious extension from the third-party Open VSX repository.
For the developer, the incident proved devastating—a stark reminder that all extensions, regardless of their source, must be scrutinized with extreme caution. Even Microsoft’s own ecosystem has been infiltrated by malicious actors, and third-party marketplaces pose an even greater risk.
Related Posts:
- Backdoor by Design: Malicious npm Packages Hijack Cursor IDE on macOS
- Google Firebase Studio Launches as AI-Powered IDE Rival to Cursor AI
- VSCode Extension Errors in Cursor: Understanding Microsoft’s Restrictions
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
