A decade of flawless security ended for Ethereum core developer Zak.eth after a malicious VS Code extension on ai code editor Cursor drained his wallet. The incident, which occurred last week, involved the “contractshark.solidity-lang” extension.
According to Zak.eth X thread, the extension appeared legitimate with over 54,000 downloads, a professional description, and presence in Cursor’s default registry. However, within minutes of installation, the extension accessed Zak’s .env file and transmitted his private key to an attacker’s server. Three days later, the attacker drained funds.
Zak lost only a few hundred dollars thanks to strict operational security. His main funds remained on hardware wallets. “If it can happen to me, it can happen to you,” he warned, noting he had never been hacked before. The attack is part of a larger $500,000+ theft campaign targeting developers through supply chain vulnerabilities.
How the Attack Unfolded
The extension exploited misspelt names, huge download counts, and confidence in official registries. By using only JavaScript, it was able to evade OS-level malware detection.
It primarily targeted developers who were rushing to release their work at the most vulnerable times. Zak acknowledged that he overlooked some warning signs, like the absence of a linked GitHub repository and the odd naming of the publisher.
In addition to losing money, he stumbled upon malicious tools used by the attacker, including “juanbIanco.solidity” and the “solsafe” npm package. He advised developers to conduct an immediate audit of their installed extensions, change their keys, and ensure that no sensitive information is left in their .env files.
Strengthening Developer Defenses
Following the breach, Zak redesigned his workflow. The developer uses isolated virtual machines, hardware wallets exclusively, and encrypted vaults for secrets. Also, he applies an extension whitelist and avoids installing new tools in haste.
Security experts echo his advice. Hakan Unal from Cyvers stressed, “Builders should vet extensions, avoid storing secrets in plain text or .env file, use hardware wallets, and develop in isolated environments.”
This breach shows that even the most security-conscious developers remain vulnerable to modern supply chain attacks. Consequently, developer trust in extension marketplaces is a side to be re-evaluated. As Zak concluded, “Good OpSec saved me from disaster. Paranoia paid off.”
Also Read: US, Allies Dismantle BlackSuit, Grab $1M in Crypto Assets
