A persistent threat actor, known as TigerJack, has been targeting developers with malicious extensions on both the Microsoft Visual Studio Code (VSCode) marketplace and the OpenVSX registry. These malicious extensions are designed to steal cryptocurrency and plant backdoors on developers’ systems. The malicious campaign, which has distributed at least 11 extensions this year, was uncovered by researchers at Koi Security. Two of the extensions, which had been downloaded over 17,000 times before being removed from the VSCode marketplace, are still available for download on OpenVSX, a community-maintained, open-source alternative. This is particularly concerning as OpenVSX is the default marketplace for several popular VSCode-compatible editors.
TigerJack has repeatedly republished the same malicious code under new names on the VSCode marketplace after the originals were removed. For example, two extensions previously named C++ Playground and HTTP Format were reintroduced through new accounts. The C++ Playground extension was designed to exfiltrate source code by capturing keystrokes in near real-time, sending the data to multiple external endpoints. Meanwhile, the HTTP Format extension, while appearing to work as advertised, secretly ran a CoinIMP crypto miner in the background, consuming the host’s entire processing power to mine cryptocurrency. The miner did not implement any restrictions on resource usage, leveraging the full computing power of the compromised machine.
Another category of TigerJack’s malicious extensions, including cppplayground, httpformat, and pythonformat, are far more menacing. These extensions fetch and execute JavaScript code from a hardcoded remote address. This allows the threat actor to execute arbitrary code on the host machine without having to update the extension. The researchers at Koi Security noted that this dynamic payload delivery system could be used for a wide range of malicious activities, including stealing credentials and API keys, deploying ransomware, and injecting backdoors into projects. These compromised developer machines could also serve as entry points into corporate networks.
Koi Security described TigerJack as a coordinated multi-account operation. The threat actor creates an illusion of independent, credible developers by building fake backgrounds with GitHub repositories, branding, detailed feature lists, and extension names that closely resemble those of legitimate tools. This deceptive strategy makes it difficult for developers to distinguish between legitimate and malicious extensions. This level of sophistication allows TigerJack to effectively bypass security measures and trick unsuspecting developers into downloading their harmful extensions.
Despite Koi Security reporting their findings to OpenVSX, there has been no response from the registry’s maintainers at the time of publication, and the two malicious extensions remain available for download. This highlights a significant security risk for developers who use the platform. Therefore, developers are strongly advised to exercise caution and only download packages from reputable and trustworthy publishers to mitigate the risk of falling victim to such campaigns. Taking a moment to verify the publisher’s identity and reputation can prevent a wide range of potential security breaches.
Reference:
