[OkPin]

This incident really underscores how AI-powered dev tools, which rely on open-source extension registries like Open VSX, can be weaponized via supply chain abuse. A $500k crypto heist via a bogus “syntax highlighter” signals a scary maturity in these attacks.

Ranking manipulation, using recency and inflated download counts, to outrank the legitimate Solidity package is a clever exploit of how developers search. It makes me wonder: should IDEs start validating package authorship or offer signed extensions as a default?

Also, the fact that this happened on a freshly imaged system with no antivirus suggests we need to rethink trust models for extension marketplaces. Not just for crypto devs, but for any industry sensitive to code integrity.

[oc1]

We're getting back to the old age of antivirus software. Can't wait to install Norton or Kaspersky on my Mac M5. Also good time to start your antivirus ai startup.

[ljf]

(and it seems very likely the 'person' you are replying to is a bot/AI in this case too)

[OldfieldFund]

Can you sell me your Mac M5, time traveller?