Ethereum core developer Zak.eth became a victim of a malicious supply chain attack after installing a compromised Cursor/VS Code extension named “contractshark.solidity-lang.” The extension, which appeared legitimate with over 54,000 downloads and a professional listing, accessed Zak’s .env file and sent his private key to an attacker’s server. Funds were drained three days later, though strict operational security limited losses to only a few hundred dollars.
The attack exploited developer trust in official registries, misspelt names, and large download counts, bypassing OS-level malware detection using JavaScript. Zak noted warning signs he overlooked, including the absence of a linked GitHub repository and unusual publisher names. The breach is part of a wider $500,000+ theft campaign targeting developers.
Zak.eth has since revamped his workflow, relying on isolated virtual machines, hardware wallets, encrypted vaults, and an extension whitelist to prevent future attacks. Security experts emphasize auditing installed extensions, avoiding plain-text secrets in .env files, and cautious development practices in isolated environments.
This incident underscores the persistent vulnerability of even security-conscious developers to supply chain attacks. As Zak concluded, “Good OpSec saved me from disaster. Paranoia paid off.” Developers worldwide are urged to reassess their toolchains and implement stronger safeguards.
You might also like: Ethereum Eyes $4,811 as ETF Inflows Smash Records and Inflation Cools