Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
zak.eth Profile picture
@0xzak
Aug 12, 2025 20 tweets 3 min read Read on X
Scrolly
I've been in crypto for over 10 years and I’ve Never been hacked. Perfect OpSec record.

Yesterday, my wallet was drained by a malicious @cursor_ai extension for the first time.

If it can happen to me, it can happen to you. Here’s a full breakdown. 🧵👇
1/ Background: I'm obsessive about security. Hardware wallets, segregated hot wallets, unique passwords, 2FA everything.

In 10+ years, I have never lost a single wei to hackers.

Then I rushed to ship a contract last week.
2/ The Attack Vector "contractshark.solidity-lang" extension in Cursor/VS Code.

Looked legitimate:
- Professional icon
- Proper description
- 54,000+ downloads
- From Open VSX (Cursor's default registry)
- Publisher "contractshark" seemed reasonable
3/ What ACTUALLY Happened:

Aug 7, 11:02 - Installed extension
Aug 7, 11:03 - Opened my project
Aug 7, 11:05 - Extension silently read my .env file
Aug 7, 11:06 - Sent my private key to attacker's server
Aug 10 - Wallet drained

3 days of access.
4/ The Damage: Only lost a few hundred $ in ETH because I follow strict practices:

- Hot wallets for testing only
- Small amounts
- Segregated by project
- Main funds in hardware wallets

Without these practices, I'd be posting a very different thread.
5/ How I Discovered It:

- Wallet drained notification
- Checked Cursor logs
- Found installation record
- Looked into all my extensions
- Found Kaspersky/BleepingComputer reports
- Part of $500K+ theft campaign
6/ The Forensics Process (for victims):

Step 1: Check logs
~/Library/Application Support/Cursor/logs (Mac)
%APPDATA%/Cursor/logs (Windows)

Step 2: Search for extension
grep -r "contractshark" [log_directory]

Step 3: Check state database for trusted publishers
7/ Why This Attack Works:

- Targets developers' weakest moment (rushing to ship)
- Exploits trust in official registries
- No OS specific malware needed (pure JavaScript)
- Works on Mac/Linux/Windows
- Silent execution, no indicators
8/ Red Flags I Missed:

❌ Publisher "contractshark" vs legitimate "juanblanco"
❌ No GitHub repository linked
❌ High downloads but no reviews
❌ Published recently (July 2025)
❌ Typosquatting common extensions

Rush to ship = ignored instincts
9/ CRITICAL OpSec Rules (learned the hard way):

NEVER:
- Store private keys in .env files
- Trust download counts alone
- Install extensions while rushing
- Use hot wallets for anything valuable

ALWAYS:
- Verify publisher carefully (check for l vs I)
- Check GitHub repo
- Use hardware wallets
10/ My New Development Setup:

1. Separate VM for smart contract work
2. Hardware wallet only (no hot wallets, period)
3. Secrets in encrypted vaults (1Password CLI)
4. No .env files with keys, ever
5. Extension whitelist only
11/ For Cursor/VS Code Users:

Immediately run:
# List all extensions
code --list-extensions

# Check for contractshark
ls ~/.cursor/extensions | grep -i contract

# Review trusted publishers
sqlite3 ~/Library/Application\
Support/Cursor/User/globalStorage/state.vscdb \
"SELECT value FROM ItemTable WHERE key='extensions.trustedPublishers'"
12/ If You're Compromised:

IMMEDIATELY:
1. Rotate ALL keys in the project
2. Check Etherscan for unauthorized txns
3. Revoke all token approvals
4. Generate new wallets
5. Document everything for taxes/insurance
6. Contact @_SEAL_Org
13/ The Attackers' Full List (AVOID):

- contractshark.solidity-lang
- juanbIanco.solidity (capital I)
- Theme.darcula-dark
- "solsafe" npm package
- Any Solidity extension with 50K+ downloads but <100 reviews
14/ Why I'm Sharing This:

Pride hurt? Yes.
Embarrassed? Absolutely.

But if one dev avoids this because of my thread, it's worth it.

We need to normalize discussing failures. Security through obscurity doesn't work.
15/ The Hard Truth:

This wasn't a sophisticated hack. It was a supply chain attack that exploited developer trust.

I had impeccable hygiene and still got got because I was:
- Tired
- Rushing
- Trusting

That's all it takes. One moment of letting your guard down.
16/ Action Items for the Community:

1. Audit your extensions NOW
2. Move keys out of .env files TODAY
3. Implement hardware wallet only policy
4. Share this thread
5. Report suspicious extensions

We're all targets. Act accordingly.
17/ Final Thoughts:

Lost a couple hundred $. Learned a lesson worth millions.

Good OpSec saved me from disaster. The segregation, the minimal hot wallet funds, and the paranoia all paid off.

I still got hit and that's the wake up call we all need.

Stay safe, anon. 🫡

/end
PS: contractshark is still in Cursor's trusted publishers for thousands of users.

Check yours:
Settings > Extensions > Trusted Publishers

If you see it, you're compromised.
@cursor_ai Full post-mortem here:

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with zak.eth

zak.eth Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @0xzak

zak.eth Profile picture
Sep 15, 2025
🚨 I was just targeted in a sophisticated phishing attempt that almost got me.

But I got the scammer on a live call (video recording below), strung him along, and trolled him with Kim Jong Un gay porn while dissecting his $3k/month malware kit.

Buckle up, this gets wild. 🧵👇
2/21

It all started with a Twitter DM to "Join our podcast!"

The attacker (@0xMauriceWang) posed as someone from @theempirepod. Looked legit after a brief skim so I agreed. Then came an email from studio@theempirepodcast.com with a @StreamYard link. Text said streamyard.com but hyperlinked to streamyard.org.

See the trap?Image
Image
@0xMauriceWang @theempirepod 3/21

The fake site showed "error joining" page. "Download desktop app to continue!" I told him I couldn't install on my company machine. Company policy. He pushed HARD. "Just this once!" "It's safe!" "We need you on the show!" Even sent a video tutorial. Red flags everywhere. Image
Read 23 tweets
zak.eth Profile picture
Aug 14, 2025
SECURITY THREAD: Your .env file WILL get you drained (here's how to not be next) 🧵 👇

Private keys in .env files will get you rekt. It's not if, but when. You're one extension away from $0.

The time between my PK leak to drain: 27 minutes.
2/ .env is PLAINTEXT. Your cat can read it. So can any process on your machine. That helpful AI coding assistant? It's reading your .env. That new Solidity formatter with 50k downloads? It's reading your .env.

youtube.com/shorts/dd4o6C6…
3/ The attack that hit me: 54,000 devs installed it. It specifically hunted for .env files with `PRIVATE_KEY=` patterns. By the time security firms found it, $500k+ was gone. The extension is removed but YOUR cached version might still have it.

securelist.com/open-source-pa…
Read 15 tweets
zak.eth Profile picture
Aug 13, 2025
🚨 UPDATE: Full Post-Mortem On Cursor Security Incident

In yesterday’s thread I explained how I got drained after installing a malicious extension in @cursor_ai.

This is the deeper dive into what I found, what I did, and how you can avoid it.

🧵 👇
1/ This isn't just about Cursor and it’s not a PSA about vibe coding. This is about IDE extensions and it affects everyone who uses one. Also, think it won’t affect you because you use Vim/Neovim plugins? You’re wrong. They can also call ext servers to execute arbitrary code.
2/ VS Code, Cursor, or any IDE with extensions ---- you're all at risk! Whether it's Microsoft's Marketplace or Open VSX, malicious extensions get through. They run with YOUR permissions. Registry security is just the first failure point, not the only one. Open VSX has weaker verification, making it the primary vector here.
Read 16 tweets
zak.eth Profile picture
Mar 14, 2025
Ethereum is bleeding value to L2s. Rollups extract fees, MEV, and liquidity while ETH stakers get left behind. If this keeps up, Ethereum becomes a dumb security layer while L2s print money. Does this sound like a decent model for fixing it? 🧵👇
2/ Rollups extract fees, MEV, and liquidity while ETH stakers get left behind. If this keeps up, Ethereum becomes a dumb security layer while L2s print money.
3/ L2s don’t need to use ETH as gas, but they do need to pay for Ethereum’s security. Right now, they pay almost nothing. That needs to change. Ethereum isn’t a free lunch. L2s should be paying rent.
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(