0
0
Article

The Contractshark in Cursor: A Cautionary Tale

Ethereum dev Zak Cole had his wallet drained by a malicious Cursor extension. Here's what to watch out for.
0
0
Aug 15, 20251 min read

Devs and vibe coders in crypto just got a wake-up call after a novel security breach hit Zak Cole of the Ethereum Community Foundation. Cole, who’s been in crypto for over a decade with a spotless OpSec record, had his wallet drained last week after installing what looked like a legit Solidity extension in Cursor, the popular AI code editor.

What happened:

  • The malicious extension, “contractshark.solidity-lang,” had the right trust signals. It came from the Open VSX registry and had a professional icon, clean description, 54k+ downloads, and a believable publisher name. Oof.
  • Within minutes of installation, the extension read Cole's .env file and from there sent his private key to an attacker’s server. Shortly thereafter, his wallet was emptied.
  • Fortunately, damage was minimal because Cole uses strict hot wallet segregation, with his main funds defended in hardware wallets. However, similar supply chain attacks have already stolen more than $500k from other devs!

What's spooky here is this vector bypasses OS malware defenses entirely. It was just JavaScript combined with user permissions. Plus, .env files are written in plaintext. Anything on your machine, from AI coding assistants to npm packages, can read it.

Time to batten down the hatches, then. Cole recommends getting private keys out of .env files, moving anything valuable to hardware wallets, and isolating your dev enviroments. Treat every extension install like it’s a potential breach.

Cole's full post-mortem breakdown and follow-up threads are worth a read. The grand takeaway here is that in a connected dev environment, trust is your attack surface. Cole's paranoia saved him from disaster, but it could have been a lot worse. Build your setup so that if you ever get compromised like this too, the damage is completely minimized.

Not financial or tax advice. This newsletter is strictly educational and is not investment advice or a solicitation to buy or sell any assets or to make any financial decisions. This newsletter is not tax advice. Talk to your accountant. Do your own research.

Disclosure. From time-to-time I may add links in this newsletter to products I use. I may receive commission if you make a purchase through one of these links. Additionally, the Bankless writers hold crypto assets. See our investment disclosures here.

Published in Bankless

There’s a revolution in the world of money. Ethereum, Bitcoin, crypto, open finance, DeFi—a bankless revolution. And you want part of it.