.env accessed?: Lesson learned from a drained crypto wallet

Question

A user on X recently lost their entire crypto wallet after installing a malicious extension in Cursor.ai. The extension accessed their .env file, extracted private keys, and sent them to an attacker’s server. The wallet was drained within 27 minutes.
Sadly a hard lesson to learn from.

What steps would you recommend to secure their setup?

Read - https://x.com/0xzak/status/1955265807807545763?s=46&amp;t=WQd8UVBBGk_pyHB3pNwGsA&nbsp;

chris__hayes · Answer

Yeah, I&nbsp;had a similar thing happen in relation to leaking my `OPENAI_API_KEY`. Might've been this:&nbsp;https://socket.dev/blog/npm-is-package-hijacked-in-expanding-supply-chain-attackIf it really was that trojan, I could've lost SSH keys as well. But, luckily was already using 1Password for everything SSH.Got me to&nbsp;move my env vars into 1Password in conjunction with 1Password CLI's `op read`. Set up aliases&nbsp;on CLI tools that need a env variable, to have 1Password load the env var first. This avoids a 1Password prompt every time you pop open a terminal.Considering more people are&nbsp;going to look to 1Password to more securely store their local env vars, please consider fixing this issue - &amp;quot;Copy secret reference&amp;quot; inconsistent behavior/bugs | 1Password Community.Honestly, with&nbsp;the security of your device, it's impossible to personally verify the security of everything you install. With the amount of trust involved, it seems better to&nbsp;prepare your damage limitation than to believe an air tight solution is possible.

Forum Discussion

.env accessed?: Lesson learned from a drained crypto wallet

1 Reply

Recent Discussions

Console flooded with errors when clicking links during 1Password passkey selection dialog

WSL2 Arm Build

`op account add` with `Integrate with 1Password CLI`

1password doesn't seem to remember the key approval for JetBrains IDEA Ultimate

Use op on headless system with glab?