Malicious VSCode Extensions Stealing Crypto and Planting backdoors
A threat actor called TigerJack is consistently targeting developers with malicious extensions published on Microsoft’s visual Studio Code (VSCode) marketplace and the OpenVSX registry to steal cryptocurrency and plant backdoors.
Two of the extensions, which were removed from VSCode after racking up 17,000 downloads, are still available on OpenVSX. What’s more, tigerjack keeps republishing the same malicious code under different names on the VSCode marketplace.
OpenVSX is a community-maintained, open-source extension marketplace that serves as an option to Microsoft’s platform. It provides an independent, vendor-neutral registry.
It’s also the default marketplace for popular VSCode-compatible editors that are technically or legally restricted from VSCode, including Cursor and windsurf.
Researchers at Koi Security discovered the campaign, which has distributed at least 11 malicious VSCode extensions sence the start of the year.
The two extensions removed from the VSCode marketplace – C++ Playground and HTTP Format – have been reintroduced on the platform using new accounts, according to the researchers.
When launched, C++ Playground registers a listener (‘onDidChangeTextDocument’) for C++ files to steal source code and send it to multiple external endpoints. This listener activates about 500 milliseconds after edits, capturing keystrokes in near-real time.
Koi Security says HTTP Format works as expected, but secretly runs a CoinIMP miner in the background. It uses hardcoded credentials and configuration to mine crypto using the host’s processing power.
the miner doesn’t seem to implement…