Kaspersky Finds Fake Coding Extensions That Can Steal Crypto Assets

JAKARTA - Kaspersky's Global Research and Analysis Team (GReAT) found a malicious Visual Studio Code extension targeting blockchain developers, especially users of the AI-based Cursor platform.

In its report, the global cybersecurity company mentioned that this extension downloaded the Quasar backdoor and the thief (stealer) program designed to steal crypto assets.

So, the malicious extension was uploaded to Open VSX repository by claiming to offer support for Solidity programming language. But in the end, this extension actually executes malicious codes on the user's device.

Access to victims' devices is obtained through ScreenConnect software which is also installed secretly, allowing perpetrators to spread malware and steal data such as the initial phrase crypto wallet, email, and browser information.

A blockchain developer from Russia has even been a victim after installing the extension. The perpetrator managed to steal a cryptocurrency worth about US $ 500,000 (around Rp. 8 billion) from his digital wallet.

Worse, the perpetrators also faked the popularity of the extension to appear at the top of the search, by making it look as if the extension had been downloaded tens of thousands of times.

Where after the extension was removed, they republished a new version that even reached 2 million downloads much more than the original extension.

Not only one, the perpetrators also spread other dangerous extensions such as solsafe, solaibot, among-eth, and blankebesxstnion, which have now been removed from the platform.

Kaspersky has reported the malicious extension to be removed from Open VSX and reminded developers to be more careful when installing new extensions.

"Therefore, all users, especially those who work in the blockchain world, should use additional protection so that their data and money are safe," said Georgy Kucherin, security researcher at Kaspersky.