Description
Researchers have observed a coordinated campaign (tracked as TigerJack) that publishes malicious Visual Studio Code (VSCode) extensions to both the Microsoft VSCode Marketplace and the OpenVSX registry. The extensions pose as useful developer tools but install crypto-miners, exfiltrate source code and credentials, and fetch remote JavaScript payloads that enable arbitrary code execution and backdoor activity. Two notable extensions C++ Playground and HTTP Format were removed from the VSCode Marketplace after detection but remain available on OpenVSX.
Attack Details
- Threat actor: Researchers attribute the campaign to a coordinated operator using multiple publisher accounts (TigerJack) to impersonate legitimate developers.
- Malicious behaviors observed:
- C++ Playground registers an onDidChangeTextDocument listener to capture keystrokes/edits and exfiltrate source code to external endpoints.
- HTTP Format behaves as advertised but runs a CoinIMP cryptominer in the background, consuming full CPU/GPU resources.
- Other variants fetch JavaScript from hardcoded remote addresses (e.g., ab498.pythonanywhere.com/static/in4.js) every ~20 minutes, enabling remote code execution without further extension updates.
- Supply-chain risk: Malicious extensions were republished under new names and accounts after takedown, and some remain available on alternative registries (OpenVSX), increasing the risk to developers using VSCode forks or third-party editors that default to OpenVSX.
Remediation
- Remove and block: Immediately uninstall any untrusted or unvetted VSCode extensions; block known malicious extension names and the remote indicators (e.g., ab498.pythonanywhere.com) at network and DNS layers.
- Harden extension policy: Enforce an approved extensions allowlist for corporate dev environments and disable automatic extension installs/updates on managed developer workstations.
- Scan & remediate hosts: Run EDR/antivirus scans for miners, unexpected persistent tasks, webhooks, or scripts that contact the listed remote endpoints; investigate developer workstations for signs of exfiltration.
- Rotate secrets and keys: Assume developer machines may have exposed API keys or credentials rotate repository/service credentials, OAuth tokens, and cloud keys if used on affected hosts.
- Network and telemetry: Monitor outbound traffic for connections to known command-and-control or miner endpoints and alert on unusual periodic polling behavior from developer tools. Forward allowlist/denylist events to SIEM for correlation.
- Vendor/registry reporting: Report malicious packages to Microsoft/VSCode Marketplace and OpenVSX maintainers; follow up until packages are removed from all registries.
- Developer guidance & least privilege: Advise developers to: use isolated build/dev VMs, avoid installing unvetted extensions, not store secrets in plain text, and use credential vaulting for tokens. Implement least-privilege access for developer service accounts.
- Supply-chain controls: Add extension vetting into onboarding and CI processes, scan extension code and dependencies before approving for enterprise use and block third-party registries where risk cannot be mitigated.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Malicious VSCode Extensions Resurface on OpenVSX, Target Developers with Crypto-Stealers and Backdoors
Reference