{"id":78439,"date":"2025-07-13T10:58:51","date_gmt":"2025-07-13T07:58:51","guid":{"rendered":"https:\/\/gulftech-news.com\/en\/?p=78439"},"modified":"2025-07-13T11:00:51","modified_gmt":"2025-07-13T08:00:51","slug":"kaspersky-uncovers-500k-crypto-heist-through-malicious-packages","status":"publish","type":"post","link":"https:\/\/gulftech-news.com\/en\/2025\/07\/13\/kaspersky-uncovers-500k-crypto-heist-through-malicious-packages\/","title":{"rendered":"Kaspersky uncovers $500K crypto heist through malicious packages"},"content":{"rendered":"\n

Kaspersky <\/a>GReAT (Global Research and Analysis Team) experts have discovered open-source packages that download the Quasar backdoor and a stealer designed to exfiltrate cryptocurrency. The malicious packages are intended for the Cursor AI development environment, which is based on Visual Studio Code \u2014 a tool used for AI-assisted coding.<\/strong><\/p>\n\n\n\n

The malicious open-source packages are extensions hosted in the Open VSX repository that claim to provide support for the Solidity programming language. However, in practice, they download and execute malicious code on users’ devices.<\/p>\n\n\n\n

During an incident response, a blockchain developer from Russia reached out to Kaspersky after installing one of these fake extensions on his computer, which allowed attackers to steal approximately $500,000 worth of crypto assets.<\/p>\n\n\n\n

The threat actor behind these packages managed to deceive the developer by making the malicious package rank higher than the legitimate one. The attacker achieved this by artificially inflating the malicious package\u2019s downloads count to 54,000.<\/p>\n\n\n\n

Search results for the query \u201csolidity\u201d: the malicious extension (highlighted in red) and the legitimate one (highlighted in green).<\/em><\/p>\n\n\n\n

After installation, the victim gained no actual functionality from the extension. Instead, malicious ScreenConnect software was installed on the computer, granting threat actors remote access to the infected device.<\/p>\n\n\n\n

Using this access, they deployed the open-source Quasar backdoor along with a stealer that collects data from browsers, email clients, and crypto wallets. With these tools, the threat actors were able to obtain the developer\u2019s wallet seed phrases and subsequently steal cryptocurrency from the accounts.<\/p>\n\n\n\n

After the malicious extension downloaded by the developer was discovered and removed from the repository, the threat actor republished it and artificially inflated its installation count to a higher number \u2013 2 million, compared to 61,000 for the legitimate package. The extension was removed from the platform following a request from Kaspersky.<\/p>\n\n\n\n

\u201cSpotting compromised open-source packages with the naked eye is becoming increasingly<\/em> difficult. Threat actors are using increasingly creative tactics to deceive potential victims, even developers who have a strong understanding of cybersecurity risks \u2014 particularly those working in the blockchain development field. <\/em><\/p>\n\n\n\n

As we expect adversaries to continue targeting developers, it is recommended that even experienced IT professionals deploy dedicated security solutions to safeguard sensitive data and prevent financial losses,\u201d<\/em> commented Georgy Kucherin, Security Researcher with Kaspersky\u2019s Global Research and Analysis Team.<\/p>\n\n\n\n

The threat actor behind the attack published not only malicious Solidity extensions but also another NPM package, solsafe<\/em>, which also downloads ScreenConnect. A few months earlier, three additional malicious Visual Studio Code extensions were released \u2014 solaibot<\/em>, among-eth<\/em>, and blankebesxstnion<\/em> \u2014 all of them have already been removed from the repository.<\/p>\n\n\n\n

To stay safe, Kaspersky recommends:<\/p>\n\n\n\n