A blockchain developer from russia lost about $500 thousand in cryptocurrency due to the installation of a malicious extension for Cursor AI code editor. The victim was looking for a regular extension for syntax highlighting in Solidity, but downloaded a fake version.
He searched the Cursor AI browser extension store for «solidity» and chose the «Solidity Language» extension, which had 54,000 downloads. As it turned out, it was a fake – hackers copied the description from the original extension (which had 61,000 downloads) and created a fake version. The hacked extension appeared higher in search results because of the ranking algorithm. Although it had fewer downloads, it was updated later (June 15, 2025) compared to the original (May 30), which increased its position in the search.
Instead of highlighting the code, the extension downloaded a malicious PowerShell script from the server, then installed the ScreenConnect remote control program. The next step was to download a data-stealing trojan. The hacker extension collected information from browsers, email clients, and crypto wallets.
After removing the first fake extension on July 2, 2025, the hackers published a new one with the exact same name as the original – «solidity». They even imitated the developer’s name. At first glance, the names of the developers look identical, but the legitimate package is from juanblanco, and the malicious one is juanbIanco (with a capitalized «I»). The font used by Cursor AI makes the lowercase l and uppercase I look identical.
That’s why two seemingly identical extensions appeared in the search results: a legal one with 61 thousand downloads and a malicious one with 2 million downloads.
Source: SecureList