Thousands Hit by Malicious VS Code Extensions Stealing Source Code

A sophisticated cybercriminal operation has infiltrated developer ecosystems worldwide.

Security researchers at Koi have uncovered at least 11 malicious Visual Studio Code (VS Code) extensions created by a threat actor known as TigerJack, who embedded spyware, cryptocurrency miners, and remote backdoors into tools downloaded by more than 17,000 developers.

“The malware operates invisibly, delivering exactly the functionality it promises while simultaneously stealing intellectual property, hijacking system resources, and maintaining a persistent backdoor for remote access,” said Koi researchers.

Trusted marketplaces turned into malware delivery channels

This campaign exposes a growing blind spot in software supply chains: the trust developers place in third-party extensions from official and alternative marketplaces. 

TigerJack, operating under multiple aliases — ab-498, 498, and 498-00 —used these platforms to distribute malware disguised as productivity tools for programmers.

The two most successful malicious extensions, C++ Playground and HTTP Format, were removed from Microsoft’s VS Code marketplace only after being downloaded to thousands of systems. 

However, both remain active in the OpenVSX marketplace, which serves popular VS Code alternatives like Cursor and Windsurf. That means the threat is far from over.

How the TigerJack malware operation worked

TigerJack’s operation demonstrates a multi-stage Trojan-horse strategy. 

The attacker initially published legitimate, fully functional extensions to build credibility and accumulate positive reviews. 

Once trusted, those same extensions were silently updated with malicious code designed to steal source code, mine cryptocurrency, and even grant remote control over developer machines.

The “C++ Playground” extension, for instance, activated automatically when VS Code launched and monitored every change to C++ files. 

Each keystroke triggered a delayed function that captured code in real time and uploaded it to exfiltration servers, including ab498[.]pythonanywhere[.]com and api[.]codex[.]jaagrav[.]in.

This mechanism was remarkably precise: it targeted only C++ files to evade detection from developers working in other languages. 

Meanwhile, the “HTTP Format” extension secretly harnessed users’ CPUs to mine cryptocurrency through embedded CoinIMP credentials. 

Its obfuscated code connected to multiple CoinIMP endpoints to monitor balances and transfer mined coins directly to TigerJack’s wallets.

Perhaps most alarming, additional extensions contained a remote code execution (RCE) backdoor, allowing the attacker to download and execute arbitrary JavaScript every 20 minutes. 

This provided ongoing, dynamic access to infected systems — essentially turning developer machines into controllable bots.

A coordinated, persistent threat

TigerJack’s campaign wasn’t a one-off malware drop but a coordinated, persistent infiltration. 

Even after Microsoft removed the malicious extensions, the threat actor launched a republication campaign — uploading five new variants under the 498-00 publisher name, including repackaged versions of C++ Playground.

This adaptive strategy highlights the limitations of current marketplace defenses. 

Developers were not automatically notified of the Microsoft removals, which left them unaware that their systems had been compromised. 

Researchers also discovered a possible operational-security slip: a Facebook profile under the name “Zubaer Ahmed” linked to TigerJack’s GitHub accounts. The account has since been deleted, suggesting an attempt to cover tracks following exposure.

How to stay protected

To contain the impact of the TigerJack campaign and prevent similar supply chain attacks, organizations should strengthen their developer environments with the following key mitigation steps:

• Audit and remove malicious extensions: Immediately review all VS Code and OpenVSX extensions across developer environments and remove any tied to publishers ab-498, 498, or 498-00.
• Rebuild compromised systems: Reimage affected workstations and rotate all potentially exposed credentials to eliminate persistent access.
• Monitor network and endpoint activity: Use EDR and network monitoring tools to detect suspicious outbound traffic, code exfiltration attempts, or crypto-mining behavior.
• Enforce allowlisting and least privilege: Limit developer permissions and apply application allowlisting to block unauthorized background processes and unapproved tools.
• Restrict and verify extension sources: Allow installations only from trusted or internally mirrored marketplaces, and require code signing or verification for all third-party extensions.
• Strengthen developer security hygiene: Train developers on secure coding practices, safe extension use, and recognizing indicators of supply chain compromise.

Implementing these not only mitigates immediate exposure but also strengthens the organization’s overall cyber resilience against evolving software supply chain attacks.

Threat actors are shifting left, too

As organizations continue shifting security “left,” adversaries are following suit—embedding themselves within the very tools developers rely on. 

This campaign mirrors past supply chain compromises, like 2020’s SolarWinds, but with a broader, decentralized reach.

Rather than breaching a single vendor, TigerJack exploited trust itself, turning the open-source ecosystem into its delivery vehicle. 

The takeaway is clear—every extension, plug-in, and dependency now represents a potential attack surface.

Events like this highlight the urgent need for stronger software supply chain security practices across the developer ecosystem.