Ethereum Wallet Drained by Malicious AI VS Code Plugin

In August 2025, Ethereum core developer Zak Cole installed a malicious AI plugin “contractshark.solidity-lang” from the Open VSX marketplace. The plugin scanned his project directory, extracted private keys from a .env file, and sent them to an attacker’s server. Within three days, his hot wallet was fully drained, costing him only a few hundred dollars thanks to segregated hardware funds. This incident highlights a rising threat to crypto wallet security: malicious AI plugins. Attackers exploit lax review processes to fake downloads and ratings, then use malicious AI plugins to steal keys and execute remote code. To protect assets, traders and developers should install extensions only from official sources, verify GitHub links and genuine user reviews, develop in isolated VMs, and store private keys in encrypted vaults. They must also separate hot and cold wallets, avoid entering mnemonics into untrusted software, and adopt a zero-trust security mindset.