I've been in crypto for over 10 years and I’ve Never been hacked. Perfect OpSec record.
Yesterday, my wallet was drained by a malicious @cursor_ai extension for the first time.
If it can happen to me, it can happen to you. Here’s a full breakdown. 🧵👇
Yesterday, my wallet was drained by a malicious @cursor_ai extension for the first time.
If it can happen to me, it can happen to you. Here’s a full breakdown. 🧵👇
1/ Background: I'm obsessive about security. Hardware wallets, segregated hot wallets, unique passwords, 2FA everything.
In 10+ years, I have never lost a single wei to hackers.
Then I rushed to ship a contract last week.
In 10+ years, I have never lost a single wei to hackers.
Then I rushed to ship a contract last week.
2/ The Attack Vector "contractshark.solidity-lang" extension in Cursor/VS Code.
Looked legitimate:
- Professional icon
- Proper description
- 54,000+ downloads
- From Open VSX (Cursor's default registry)
- Publisher "contractshark" seemed reasonable
Looked legitimate:
- Professional icon
- Proper description
- 54,000+ downloads
- From Open VSX (Cursor's default registry)
- Publisher "contractshark" seemed reasonable
3/ What ACTUALLY Happened:
Aug 7, 11:02 - Installed extension
Aug 7, 11:03 - Opened my project
Aug 7, 11:05 - Extension silently read my .env file
Aug 7, 11:06 - Sent my private key to attacker's server
Aug 10 - Wallet drained
3 days of access.
Aug 7, 11:02 - Installed extension
Aug 7, 11:03 - Opened my project
Aug 7, 11:05 - Extension silently read my .env file
Aug 7, 11:06 - Sent my private key to attacker's server
Aug 10 - Wallet drained
3 days of access.
4/ The Damage: Only lost a few hundred $ in ETH because I follow strict practices:
- Hot wallets for testing only
- Small amounts
- Segregated by project
- Main funds in hardware wallets
Without these practices, I'd be posting a very different thread.
- Hot wallets for testing only
- Small amounts
- Segregated by project
- Main funds in hardware wallets
Without these practices, I'd be posting a very different thread.
5/ How I Discovered It:
- Wallet drained notification
- Checked Cursor logs
- Found installation record
- Looked into all my extensions
- Found Kaspersky/BleepingComputer reports
- Part of $500K+ theft campaign
- Wallet drained notification
- Checked Cursor logs
- Found installation record
- Looked into all my extensions
- Found Kaspersky/BleepingComputer reports
- Part of $500K+ theft campaign
6/ The Forensics Process (for victims):
Step 1: Check logs
~/Library/Application Support/Cursor/logs (Mac)
%APPDATA%/Cursor/logs (Windows)
Step 2: Search for extension
grep -r "contractshark" [log_directory]
Step 3: Check state database for trusted publishers
Step 1: Check logs
~/Library/Application Support/Cursor/logs (Mac)
%APPDATA%/Cursor/logs (Windows)
Step 2: Search for extension
grep -r "contractshark" [log_directory]
Step 3: Check state database for trusted publishers
7/ Why This Attack Works:
- Targets developers' weakest moment (rushing to ship)
- Exploits trust in official registries
- No OS specific malware needed (pure JavaScript)
- Works on Mac/Linux/Windows
- Silent execution, no indicators
- Targets developers' weakest moment (rushing to ship)
- Exploits trust in official registries
- No OS specific malware needed (pure JavaScript)
- Works on Mac/Linux/Windows
- Silent execution, no indicators
8/ Red Flags I Missed:
❌ Publisher "contractshark" vs legitimate "juanblanco"
❌ No GitHub repository linked
❌ High downloads but no reviews
❌ Published recently (July 2025)
❌ Typosquatting common extensions
Rush to ship = ignored instincts
❌ Publisher "contractshark" vs legitimate "juanblanco"
❌ No GitHub repository linked
❌ High downloads but no reviews
❌ Published recently (July 2025)
❌ Typosquatting common extensions
Rush to ship = ignored instincts
9/ CRITICAL OpSec Rules (learned the hard way):
NEVER:
- Store private keys in .env files
- Trust download counts alone
- Install extensions while rushing
- Use hot wallets for anything valuable
ALWAYS:
- Verify publisher carefully (check for l vs I)
- Check GitHub repo
- Use hardware wallets
NEVER:
- Store private keys in .env files
- Trust download counts alone
- Install extensions while rushing
- Use hot wallets for anything valuable
ALWAYS:
- Verify publisher carefully (check for l vs I)
- Check GitHub repo
- Use hardware wallets
10/ My New Development Setup:
1. Separate VM for smart contract work
2. Hardware wallet only (no hot wallets, period)
3. Secrets in encrypted vaults (1Password CLI)
4. No .env files with keys, ever
5. Extension whitelist only
1. Separate VM for smart contract work
2. Hardware wallet only (no hot wallets, period)
3. Secrets in encrypted vaults (1Password CLI)
4. No .env files with keys, ever
5. Extension whitelist only
11/ For Cursor/VS Code Users:
Immediately run:
# List all extensions
code --list-extensions
# Check for contractshark
ls ~/.cursor/extensions | grep -i contract
# Review trusted publishers
sqlite3 ~/Library/Application\
Support/Cursor/User/globalStorage/state.vscdb \
"SELECT value FROM ItemTable WHERE key='extensions.trustedPublishers'"
Immediately run:
# List all extensions
code --list-extensions
# Check for contractshark
ls ~/.cursor/extensions | grep -i contract
# Review trusted publishers
sqlite3 ~/Library/Application\
Support/Cursor/User/globalStorage/state.vscdb \
"SELECT value FROM ItemTable WHERE key='extensions.trustedPublishers'"
12/ If You're Compromised:
IMMEDIATELY:
1. Rotate ALL keys in the project
2. Check Etherscan for unauthorized txns
3. Revoke all token approvals
4. Generate new wallets
5. Document everything for taxes/insurance
6. Contact @_SEAL_Org
IMMEDIATELY:
1. Rotate ALL keys in the project
2. Check Etherscan for unauthorized txns
3. Revoke all token approvals
4. Generate new wallets
5. Document everything for taxes/insurance
6. Contact @_SEAL_Org
13/ The Attackers' Full List (AVOID):
- contractshark.solidity-lang
- juanbIanco.solidity (capital I)
- Theme.darcula-dark
- "solsafe" npm package
- Any Solidity extension with 50K+ downloads but <100 reviews
- contractshark.solidity-lang
- juanbIanco.solidity (capital I)
- Theme.darcula-dark
- "solsafe" npm package
- Any Solidity extension with 50K+ downloads but <100 reviews
14/ Why I'm Sharing This:
Pride hurt? Yes.
Embarrassed? Absolutely.
But if one dev avoids this because of my thread, it's worth it.
We need to normalize discussing failures. Security through obscurity doesn't work.
Pride hurt? Yes.
Embarrassed? Absolutely.
But if one dev avoids this because of my thread, it's worth it.
We need to normalize discussing failures. Security through obscurity doesn't work.
15/ The Hard Truth:
This wasn't a sophisticated hack. It was a supply chain attack that exploited developer trust.
I had impeccable hygiene and still got got because I was:
- Tired
- Rushing
- Trusting
That's all it takes. One moment of letting your guard down.
This wasn't a sophisticated hack. It was a supply chain attack that exploited developer trust.
I had impeccable hygiene and still got got because I was:
- Tired
- Rushing
- Trusting
That's all it takes. One moment of letting your guard down.
16/ Action Items for the Community:
1. Audit your extensions NOW
2. Move keys out of .env files TODAY
3. Implement hardware wallet only policy
4. Share this thread
5. Report suspicious extensions
We're all targets. Act accordingly.
1. Audit your extensions NOW
2. Move keys out of .env files TODAY
3. Implement hardware wallet only policy
4. Share this thread
5. Report suspicious extensions
We're all targets. Act accordingly.
17/ Final Thoughts:
Lost a couple hundred $. Learned a lesson worth millions.
Good OpSec saved me from disaster. The segregation, the minimal hot wallet funds, and the paranoia all paid off.
I still got hit and that's the wake up call we all need.
Stay safe, anon. 🫡
/end
Lost a couple hundred $. Learned a lesson worth millions.
Good OpSec saved me from disaster. The segregation, the minimal hot wallet funds, and the paranoia all paid off.
I still got hit and that's the wake up call we all need.
Stay safe, anon. 🫡
/end
PS: contractshark is still in Cursor's trusted publishers for thousands of users.
Check yours:
Settings > Extensions > Trusted Publishers
If you see it, you're compromised.
Check yours:
Settings > Extensions > Trusted Publishers
If you see it, you're compromised.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
