A threat actor called TigerJack is constantly targeting developers with malicious extensions published on Microsoft's Visual Code (VSCode) marketplace and OpenVSX registry to steal cryptocurrency and plant backdoors.
Two of the extensions, removed from VSCode after counting 17,000 downloads, are still present on OpenVSX. Furthermore, TigerJack republishes the same malicious code under new names on the VSCode marketplace.
OpenVSX is a community-maintained open-source extension marketplace operating as an alternative to Microsoft’s platform, providing an independent, vendor-neutral registry.
It is also the default marketplace for popular VSCode-compatible editors that are technically or legally restricted from VSCode, including Cursor and Windsurf.
The campaign was spotted by researchers at Koi Security and has distributed at least 11 malicious VSCode extensions since the beginning of the year.
The two of those extensions kicked from the VSCode marketplace are named C++ Playground and HTTP Format, and have been reintroduced on the platform through new accounts, the researchers say.
When launched, C++ Playground registers a listener (‘onDidChangeTextDocument’) for C++ files to exfiltrate source code to multiple external endpoints. The listener fires about 500 milliseconds after edits to capture keystrokes in near-real time.
According to Koi Security, HTTP Format works as advertised but secretly runs a CoinIMP miner in the background, using hardcoded credentials and configuration to mine crypto using the host’s processing power.
The miner does not appear to implement any restrictions for resource usage, leveraging the entire computing power for its activity.
Miner active on the host
... continue reading