Code highlighting extension for Cursor AI used for $500k theft
152 comments
·July 15, 2025EZ-E
muzzle
I also naively thought that IDE extensions where sandboxed until I worked myself on making extensions.
Well, it’s absolutely not and you can access the full filesystem. Which is handy if you are legit, but very permissive & much more a security threat than I imagined.
Be careful what extensions you install people :)
addandsubtract
VSCode on MacOS asks me if it can access my Download/Documents/etc folder... and if I trust the files in directory X that I just opened. Yet, extensions can just bypass all those safeguards?
simonw
I believe extensions inherit the permissions that the editor has already - so if you've given Cursor or VS Code permission to access a folder any extensions they run later can access it too.
I agree, this seems bad! Sandboxing is still a very weakly implemented craft for most applications, especially those that run extensions or plugins.
(I build a lot of software that runs plugins and has no sandboxing at all, and it really frustrates me. I'm constantly looking out for cross-platform Python-friendly sandboxing tech that might help with this in the future.)
postalcoder
Definitely install something like little snitch and keep an eye out for the requests that come out of vscode.
I’ve become very paranoid with extensions as of late. It’s great that llms have gotten so good and banging out personal tools. I am using a few home grown extensions in my own setup.
null
sshine
There is no ACL system in place for VSCode extensions, no.
Any extension has full access to execute programs as the user.
Your operating system might have some security measures in place.
cosiiine
Zed for example will start crawling your home directory and all children if you don’t have a project open. Documents, downloads, etc all uploaded.
notpushkin
Source?
bravesoul2
Even with just internet access an extension could upload your entire codebase. Git extensions for example need this level of access by design. How else could you set a different remote and push all refs:)
ants_everywhere
> Am I understanding right the extension was free to download code from internet and execute with enough rights to scan the user's disk?
I honestly thought that was how the Javacsript and Python ecosystems worked? And surely many others.
null
IshKebab
> Does this mean every company is one bad extension install away from having its entire codebase stolen or worse?
Yes.
> I naively assumed the extensions were 'sandboxed' to some degree.
No. This is fairly obvious if you have used more than a few extensions - often they'll ask you to download and install binaries.
delusional
These systems rely on downloading and executing much more untrusted software than you could ever imagine. Please dig deeper into this for yourself, I think that's the only way for anyone to truly appreciate the mess we are getting ourselves into.
christophilus
Supply chain attacks really worry me. I do most of my work in docker containers partly as a small attempt to mitigate this. I run the full stack in the container, including Claude Code, Neovim, Postgres, etc.
I do have a fair number of Neovim plugins on my host machine, and a number of Arch packages that I probably could do without.
I’ve considered keeping my host’s Neovim vanilla, but telescope is hard to live without.
bravesoul2
Supply chain attacks mean you need to trust your choice of suppliers, trust their security posture and choice of suppliers and so on. Even docker itself has FROM and often a few "apt get" (or similar) commands to build the image. Even with no file access, they can exfiltrate data.
This and MCP, IoT all the things, vibe coding, AI impersonation for social attacks and cryptocurrency rewards it's a golden age for criminal hackers!
throwawayffffas
Not just apt-get it might even have some `curl ... | sh`.
chasd00
Curl | sh is gold. It’s like finding a candy bar on the street and eating it heh.
fc417fc802
The number of dependencies that require inordinate amounts of effort to build from a clean repository without network access is truly alarming. Even many core tools can't be bootstrapped (at least easily or in a manner supported by the developers) without downloading opaque binary blobs. It's like the entire software ecosystem is underpinned by sketchy characters hanging out in dark alleys who clandestinely slip you the required binaries if you ask nicely.
aldur
Same worries and setup here, with the only difference that I use Nix to either spawn a QEMU VM or build an LXC container that runs on a Chromebook (through Crostini).
I started using throwaway environments, one per project. I try keeping the stuff installed in the host OS to the bare minimum.
For the things I need to run on the host, I try to heavily sandbox it (mostly through the opaque macOS sandbox) so that it cannot access the network and can only access a whitelist of directories. Sandboxing is painful and requires trial an error, so I wish there was a better (UX-wise) way to do that.
xinayder
Do you use devcontainers or a custom-built solution? Would you mind sharing how you do your dev work using containers? I've been looking to try it out, and this attack might be the tipping point to where I actually do that.
christophilus
Custom. I have a little script: “dev sh” which creates a new container for whatever folder I’m in. The container has full access to that folder, but nothing else. If there’s a .podman/env file, the script uses that to configure things like ports, etc.
From what I saw of devcontainers, they basically grant access to your entire system (.ssh, etc). May be wrong. That’s my recollection, though.
riv991
Microsoft were very quick to highlight their extensions being safer after this.
worble
And yet, this entire class of abuse is only possible because Microsoft refuse to implement any kind of permission management or sandboxing for extensions.
rs186
Second this.
As a vscode extension author, I am scared by the power I have. I am not at all surprised by what happened in this story.
jowea
2 seconds? That wasn't the team then, it must have failed some automated filter.
nkrisc
If the team put those filters in place, then it was the team. Anyone implementing automation gets to be held responsible for its failure, but also its successes.
bootsmann
Yeah it had a copy-paste description from the original extension, probably very easy thing to detect
the_mitsuhiko
Unfortunately the marketplace ecosystem is why I went back to VSCode from Cursor. I'm a bit upset by this because I don't quite appreciate that Microsoft has a closed ecosystem for the marketplace and does not open it to Cursor but the reality is, that Open VSX does not have all extensions and little vetting.
notpushkin
> Open VSX does not have all extensions
This can be solved quite easily for open source extensions: https://github.com/EclipseFdn/open-vsx.org/wiki/Auto-Publish...
Vetting however is trickier. I hope Cursor can fund this effort!
IshKebab
Well this was an extremely unsophisticated attack. The malware wasn't hidden and they didn't even bother to actually copy the real extension.
If I were doing this I would copy the real extension, give it a name that made it sound official but in the README say it is a tweaked version with some improvements or whatever. Also actually add some improvements, but hide the malware in those changes.
Good luck finding that. (brb going to try this)
raincole
The whole thing worked only because they gamed open-vsx ranking algorithm.
Quarrel
and yet, there are many malware extensions per day that get through:
https://github.com/microsoft/vsmarketplace/blob/main/Removed...
delusional
People better remember that tweet the next time somebody finds another malicious extension on their marketplace.
londons_explore
If you want to know if you've fallen victim to such an attack, this might help:
It is a small crypto wallet you can hide in your computer and be notified when someone steals from it.
throw7484485
Downloading random code from internet is just normal development on Mac. Brew, npm and other sorts of "package managers".
I have code, passwords and certificates separated in virtual machines, even IDE GUI app is virtualized, and has no rights to access GitHub, internet or filesystem directly.
But I get a lot of flack from coworkers. They say it is unintuitive and uses x86 CPU which is uncool. Mac has no reasonable VM software or secure containers!
OldfieldFund
Mac has also much fewer Trojans/Stealers than Windows as far as I understand.
throw7484485
But I am not on windows
joelthelion
So that guy used the same machine for development and holding 500,000$ in cryptos?
LikesPwsh
Cryptocurrency contracts are going to touch actual tokens at some point.
Even if the compromise wasn't on the developer's machine, it could have enabled a supply chain attack post-deployment.
walls
There are test networks, and anyone with more than $500 in crypto should be using a hardware wallet at this point.
Jhsto
Thought the same thing, could it be a false claim to get a nice headline thus clicks on your site?
oc1
Most people do.
joelthelion
Most people don't hold 500k in cryptos.
Holding that much money on a machine that is not ultra secure is borderline insane.
djrj477dhsnv
If it's less than 1% of your net worth, not that insane.
It's similar to how many crypto businesses will have a hot wallet with some fraction of their more secure cold wallet that they're okay losing.
signaleleven
Somewhat humorously, my company displayed an IT warning telling me that I can't visit the website in question because it's in Russia. I probably set off some kind of alarm somewhere.
I do use Cursor at work and I have various extensions installed.
OkPin
This incident really underscores how AI-powered dev tools, which rely on open-source extension registries like Open VSX, can be weaponized via supply chain abuse. A $500k crypto heist via a bogus “syntax highlighter” signals a scary maturity in these attacks.
Ranking manipulation, using recency and inflated download counts, to outrank the legitimate Solidity package is a clever exploit of how developers search. It makes me wonder: should IDEs start validating package authorship or offer signed extensions as a default?
Also, the fact that this happened on a freshly imaged system with no antivirus suggests we need to rethink trust models for extension marketplaces. Not just for crypto devs, but for any industry sensitive to code integrity.
oc1
We're getting back to the old age of antivirus software. Can't wait to install Norton or Kaspersky on my Mac M5. Also good time to start your antivirus ai startup.
OldfieldFund
Can you sell me your Mac M5, time traveller?
meander_water
There's actually a new setting in vscode (from Dec 24) to configure a whitelist for extensions that are allowed to be installed on a user's machine [0]. It's not foolproof, but it probably helps to prevent common supply chain attacks. I wonder if this could be used in cursor too.
[0] https://code.visualstudio.com/docs/setup/enterprise#_configu...
samsk
Thats why I always develop on a per customer mini VM via VSCode ssh remoting or similar, and projects are usually runned via docker-compose or devcontainers.
voidUpdate
I'm surprised that you can still get .su (soviet union) domains. I'd have thought someone would have said that you can't buy them anymore
poly2it
How much are you missing out on if you just ban *.su connections on your device?
voidUpdate
According to wikipedia, organisations with roots in the soviet union, the Donetsk People's Republic, white supremacist websites and cybercrime. So you can probably safely block it unless you're into those kinds of things.
EDIT: also student's unions apparently, which kinda makes sense
nubinetwork
Russia doesn't give a shit. https://en.wikipedia.org/wiki/.su
pshirshov
But this is not about Cursor. It's a supply chain attack, and a Windows machine running a software wallet. A hardware wallet would make this impossible.
bravesoul2
Hardware wallet makes this less likely. Yes.
Am I understanding right the extension was free to download code from internet and execute with enough rights to scan the user's disk? That is wild. Does this mean every company is one bad extension install away from having its entire codebase stolen or worse?
I naively assumed the extensions were 'sandboxed' to some degree.