Threat actor TigerJack actively distributes malicious VSCode extensions on both Microsoft’s marketplace and OpenVSX, targeting developers to steal cryptocurrencies and install backdoors. Despite some extensions being removed from VSCode, they remain available on OpenVSX, posing ongoing risks to coding environments. #TigerJack #OpenVSX #VSCodeExtensions #CryptocurrencyTheft
Keypoints
- TigerJack is a threat actor targeting developers with malicious extensions in VSCode marketplaces.
- Two extensions, C++ Playground and HTTP Format, were removed from VSCode but remain on OpenVSX.
- Some extensions exfiltrate source code or secretly mine cryptocurrency using the host’s resources.
- Malicious extensions can fetch and execute remote JavaScript payloads, enabling arbitrary code execution.
- OpenVSX’s lack of response and continued availability of malicious extensions increase security risks for developers.