Vibe coders lose crypto after installing extensions on popular marketplaces
Dozens of malicious extensions have infiltrated the major IDE (integrated development environment) marketplaces favored by vibe coders over the past month. Major crypto figures have reported falling victim to this fraud campaign.
Security researchers at Koi Security warn that they discovered a wave of 24 malicious extensions specifically targeting vibe coders, which is a term for developers using artificial intelligence-assisted software.
Over the past month, malicious extensions targeting Cursor, Windsurf, and VSCode users were found on the VSCode and OpenVSX marketplaces.
Attackers manage to artificially inflate download counts and ratings so the fake extensions look more appealing than the original ones. However, if developers download them, they launch stealthy crypto stealers, which are also compatible with macOS.
The researchers attributed the attacks to the same threat actors who previously created a fake extension called Solidity and dubbed them “WhiteCobra.” Solidity is the programming language used for implementing ethereum smart contracts, and extensions add language support to popular IDEs. One developer in Russia reportedly lost $500,000 to this scam.
However, hackers now consistently repeat the playbook. Crypto influencer zak.eth, despite being a security professional with a decade of experience, recently announced that a malicious Cursor extension drained his crypto wallet.
I've been in crypto for over 10 years and I’ve Never been hacked. Perfect OpSec record.
undefined zak.eth (@0xzak) August 12, 2025
Yesterday, my wallet was drained by a malicious @cursor_ai extension for the first time.
If it can happen to me, it can happen to you. Here’s a full breakdown. 🧵👇
“WhiteCobra continues to upload new malicious extensions on a weekly basis, including just this week. Making zak.eth far less likely from being the last victim,” Koi Security said in the report.
The five phases of the attack
The researchers managed to recover an internal markdown file belonging to the attackers, detailing their strategy. The “DEPLOYMENT PLAN: Operation Solidity Pro” lists five essential phases of the attack, including the estimates of potential revenue, ranging from $10,000 to $500,000 per hour.
The strategy phases are packaging, deployment, promotion, inflation, and, ultimately, exfiltration of the funds. The document even included wallet addresses to direct the stolen funds and specific instructions for setting up the command and control server.
The attackers use a specific script to automate the inflation of the number of downloads on extension stores. Their strategy includes buying “thousands of high-quality residential proxies.”
“Let the script run until the target of 50,000 downloads is reached. This will provide social proof for developers discovering the extension,” the attacker’s blueprint reads.
This way, their Solidarity extension managed to appear on top of the OpenVSX registry with a better rating.
This tricks both marketplaces and developers. The attackers aggressively support the campaign on social media with fake posts, deploying bots to interact with the posts.
“White Cobra’s operation isn’t just persistent – it’s technically layered, obfuscated, and intentionally evasive. Let’s walk through the extension’s execution flow and unpack how the final malicious executable is delivered and run, cross-platform,” the researchers said.
A first glance at the malicious extension’s main file extension.js reveals no malicious intentions – it’s minimal. The obfuscated payload is hidden in separate file “prompt.js”, which is a script to download the next stage.
“It simply uses PowerShell to download Python, and then executes an encoded Python script!”
Ultimately, the victim gets infected with a powerful commercial infostealer, LummaStealer, which exfiltrates crypto information and other sensitive data from the computer.
“With documented processes, automated tools, and revenue projections treating victims as mere numbers, this isn't hacking – it's a business operation,” the researchers warn.
Koi Security reported all 24 detected extensions, and they’ve been taken down. However, the attackers continue uploading new ones daily. Launching a new campaign from scratch only takes three hours.
The researchers urge the implementation of better mechanisms for trust and verification to remove the attackers' advantage.
Unlock more exclusive Cybernews content on YouTube.
