Subscribe to Bankless or sign in
Devs and vibe coders in crypto just got a wake-up call after a novel security breach hit Zak Cole of the 
Ethereum Community Foundation. Cole, who’s been in crypto for over a decade with a spotless OpSec record, had his wallet drained last week after installing what looked like a legit Solidity extension in Cursor, the popular AI code editor.
What happened:
- The malicious extension, “contractshark.solidity-lang,” had the right trust signals. It came from the Open VSX registry and had a professional icon, clean description, 54k+ downloads, and a believable publisher name. Oof.
- Within minutes of installation, the extension read Cole's
.envfile and from there sent his private key to an attacker’s server. Shortly thereafter, his wallet was emptied. - Fortunately, damage was minimal because Cole uses strict hot wallet segregation, with his main funds defended in hardware wallets. However, similar supply chain attacks have already stolen more than $500k from other devs!
What's spooky here is this vector bypasses OS malware defenses entirely. It was just JavaScript combined with user permissions. Plus, .env files are written in plaintext. Anything on your machine, from AI coding assistants to npm packages, can read it.
Time to batten down the hatches, then. Cole recommends getting private keys out of .env files, moving anything valuable to hardware wallets, and isolating your dev enviroments. Treat every extension install like it’s a potential breach.
Cole's full post-mortem breakdown and follow-up threads are worth a read. The grand takeaway here is that in a connected dev environment, trust is your attack surface. Cole's paranoia saved him from disaster, but it could have been a lot worse. Build your setup so that if you ever get compromised like this too, the damage is completely minimized.
