Malicious VSCode extensions are back — stealing crypto and installing backdoors via OpenVSX

Researchers have discovered a new wave of malicious extensions for VSCode that, under the guise of pseudo-useful tools, steal source code, mine cryptocurrency, and are capable of executing arbitrary code via OpenVSX, an alternative registry where some of the extensions are still available.

• The attack is attributed to an operator going by the name TigerJack. Researchers from Koi Security have discovered at least 11 malicious extensions, some of which had thousands of downloads on the Microsoft Marketplace before being removed, but remained available on OpenVSX. Three main behaviors have been observed among the malicious components:

• Code theft / exfiltration: An extension (such as `C++ Playground`) registers a listener for changes in files and sends code fragments to remote servers (a practice close to a keylogger for code).Hosted miner: Another extension (`HTTP Format`) runs as a normal utility, but in the background runs a CoinIMP miner without resource restrictions.

• Dynamic remote code execution: some packages load JS code from hard-coded addresses and execute it on the victim’s machine (polling every ~20 minutes), which allows the operator to “push” any malicious module without updating the extension.

Researchers also emphasize that TigerJack works through multi-accounts with the appearance of legitimate projects (GitHub, branding), which complicates quick verification. Koi Security reported OpenVSX, but at the time of publication two malicious packages remained available.

OpenVSX is an open alternative to the official Microsoft Marketplace and serves as the default registry for compatible editors (Cursor, Windsurf, etc.). The presence of alternative registries gives more freedom, but also increases the risk of unknowingly placing malicious packages. Similar campaigns have happened before: operators massively published malicious extensions that reached users under the guise of useful tools.

Developers and DevOps teams should immediately:

1. Check installed extensions in VSCode/compatible editors for suspicious packages (especially those with poor reputation or questionable repositories).

2. Only download extensions from trusted publishers and read code/permissions when in doubt.

3. Use isolated environments (containers/VMs) to run unknown tools and employ EDR/IDS to detect mining or exfiltration.

4. Monitor Koi Security messages and logs — and block access to known C2 addresses if possible.