CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

TigerJack Campaign Targets Developers with Malicious VSCode Extensions

First reported
Last updated
3 unique sources, 7 articles

Summary

Hide ▲

The TigerJack campaign continues to target developers with malicious Visual Studio Code (VSCode) extensions, which have now been found to leak access tokens posing a critical software supply chain risk. The campaign has distributed at least 11 malicious VSCode extensions since the beginning of the year, with two extensions, C++ Playground and HTTP Format, removed from VSCode but remaining on OpenVSX. These extensions steal cryptocurrency, plant backdoors, and exfiltrate source code. The threat actor republishes the same malicious code under new names, making detection and removal challenging. Developers are advised to be cautious when downloading extensions from these platforms. Over 100 VSCode extensions were found to leak access tokens, allowing attackers to distribute malicious updates. The leaked tokens include AI provider secrets, cloud service provider secrets, and database secrets. Microsoft has revoked the leaked PATs and is adding secret scanning capabilities to enhance security. Organizations are recommended to develop an extension inventory and consider a centralized allowlist for extensions. A new malicious extension named susvsex with basic ransomware capabilities was published on Microsoft's official VS Code marketplace. The extension was published by 'suspublisher18' and its malicious functionality was openly advertised in its description. The extension's malicious functionality includes file theft to a remote server and encryption of all files with AES-256-CBC. The extension activates on any event, including on installation or when launching VS Code, initializing the 'extension.js' file that contains its hardcoded variables (IP, encryption keys, command-and-control address). The extension calls a function named zipUploadAndEncrypt which checks the presence of a marker text file, and starts the encryption routine. The extension creates a .ZIP archive of the files in the defined target directory and exfiltrates them to the hardcoded C2 address. All the files are then replaced with their encrypted versions. The extension polls a private GitHub repository for commands, periodically checking an 'index.html' file that uses a PAT token for authentication, and tries to execute any commands there. The owner of the repository is likely based in Azerbaijan. The extension is an overt threat and may be the result of an experiment to test Microsoft's vetting process. Secure Annex labels susvsex an 'AI slop' with its malicious actions exposed in the README file, but notes that a few tweaks would make it far more dangerous. Microsoft ignored the report about the extension and did not remove it from the VS Code registry initially, but it was no longer available by the time the article was published. Two new malicious extensions, Bitcoin Black and Codo AI, were found on Microsoft's Visual Studio Code Marketplace. Bitcoin Black masquerades as a color theme and Codo AI as an AI assistant, both published under the developer name 'BigBlack'. Bitcoin Black features a '*' activation event that executes on every VSCode action and can run PowerShell code. Bitcoin Black uses a batch script to download a DLL file and an executable, with the activity occurring with the window hidden. Codo AI includes code assistance functionality via ChatGPT or DeepSeek but also has a malicious section. Both extensions deliver a legitimate executable of the Lightshot screenshot tool and a malicious DLL file that deploys the infostealer under the name runtime.exe. The malware creates a directory in '%APPDATA%\Local\' and stores stolen data including screenshots, WiFi credentials, system information, and cryptocurrency wallets. The malware steals cookies and hijacks user sessions by launching Chrome and Edge browsers in headless mode. The malware steals cryptocurrency wallets like Phantom, Metamask, Exodus, and looks for passwords and credentials. The malicious DLL is flagged as a threat by 29 out of the 72 antivirus engines on Virus Total. Microsoft has removed the extensions BigBlack.bitcoin-black, BigBlack.codo-ai, and BigBlack.mrbigblacktheme from the Marketplace. The extensions activate on every VS Code action and embed malicious functionality within a working tool to bypass detection. Earlier versions of the extensions executed a PowerShell script to download a password-protected ZIP archive from an external server. Subsequent versions of the extensions used a batch script to download the executable and DLL, hiding the PowerShell window. The legitimate Lightshot binary is used to load the rogue DLL via DLL hijacking. The rogue DLL gathers clipboard contents, installed apps, running processes, desktop screenshots, Wi-Fi credentials, and detailed system information. The malware launches Google Chrome and Microsoft Edge in headless mode to grab stored cookies and hijack user sessions.

Timeline

  1. 06.11.2025 23:52 2 articles · 1mo ago

    New Malicious Extension with Ransomware Capabilities Published

    A new malicious extension named susvsex with basic ransomware capabilities was published on Microsoft's official VS Code marketplace. The extension was published by 'suspublisher18' and its malicious functionality was openly advertised in its description. The extension was uploaded on November 5, 2025, with the description 'Just testing' and the email address 'donotsupport@example[.]com.' The extension's description explicitly states it automatically zips, uploads, and encrypts files from C:\Users\Public\testing (Windows) or /tmp/testing (macOS) on first launch. The extension was removed from the official VS Code Extension Marketplace by Microsoft on November 6, 2025. The extension's TARGET_DIRECTORY is configured to be a test staging directory, but it can be easily updated with an extension release or as a command sent through the C2 channel. The extension includes extraneous comments, README files with execution instructions, and placeholder variables, indicating it is 'vibe coded' malware. The extension package accidentally included decryption tools, command and control server code, and GitHub access keys to the C2 server, which other people could use to take over the C2.

    Show sources
    Open in new tab
  2. 15.10.2025 17:16 2 articles · 1mo ago

    Microsoft Revokes Leaked PATs and Adds Secret Scanning

    Microsoft revoked the leaked personal access tokens (PATs) and is adding secret scanning capabilities to block extensions with verified secrets and notify developers when secrets are detected. The cloud security firm Wiz identified over 550 validated secrets across more than 500 extensions from hundreds of distinct publishers. The 550 secrets fall under 67 distinct types of secrets, including AI provider secrets, cloud service provider secrets, and database secrets. The issue highlights the continued risks of extensions and plugins, and supply chain security in general.

    Show sources
    Open in new tab
  3. 15.10.2025 00:35 6 articles · 1mo ago

    TigerJack Campaign Distributes Malicious VSCode Extensions

    Since the beginning of the year, TigerJack has distributed at least 11 malicious VSCode extensions. Two extensions, C++ Playground and HTTP Format, were removed from the VSCode marketplace but remain available on OpenVSX. These extensions steal cryptocurrency, plant backdoors, and exfiltrate source code. The threat actor republishes the same malicious code under new names, making detection and removal challenging. The extensions are disguised as legitimate tools and use various techniques to exfiltrate data and mine cryptocurrency. Developers are advised to be cautious when downloading extensions from these platforms. Over 100 VSCode extensions were found to leak access tokens, allowing attackers to distribute malicious updates. The leaked tokens include AI provider secrets, cloud service provider secrets, and database secrets. The extensions that leaked access tokens included themes and other types of extensions. The issue extends to internal or vendor-specific extensions used by organizations. Two new malicious extensions, Bitcoin Black and Codo AI, were found on Microsoft's Visual Studio Code Marketplace. Bitcoin Black masquerades as a color theme and Codo AI as an AI assistant, both published under the developer name 'BigBlack'. Bitcoin Black features a '*' activation event that executes on every VSCode action and can run PowerShell code. Bitcoin Black uses a batch script to download a DLL file and an executable, with the activity occurring with the window hidden. Codo AI includes code assistance functionality via ChatGPT or DeepSeek but also has a malicious section. Both extensions deliver a legitimate executable of the Lightshot screenshot tool and a malicious DLL file that deploys the infostealer under the name runtime.exe. The malware creates a directory in '%APPDATA%\Local\' and stores stolen data including screenshots, WiFi credentials, system information, and cryptocurrency wallets. The malware steals cookies and hijacks user sessions by launching Chrome and Edge browsers in headless mode. The malware steals cryptocurrency wallets like Phantom, Metamask, Exodus, and looks for passwords and credentials. The malicious DLL is flagged as a threat by 29 out of the 72 antivirus engines on Virus Total. Microsoft has removed the extensions BigBlack.bitcoin-black, BigBlack.codo-ai, and BigBlack.mrbigblacktheme from the Marketplace. The extensions activate on every VS Code action and embed malicious functionality within a working tool to bypass detection. Earlier versions of the extensions executed a PowerShell script to download a password-protected ZIP archive from an external server. Subsequent versions of the extensions used a batch script to download the executable and DLL, hiding the PowerShell window. The legitimate Lightshot binary is used to load the rogue DLL via DLL hijacking. The rogue DLL gathers clipboard contents, installed apps, running processes, desktop screenshots, Wi-Fi credentials, and detailed system information. The malware launches Google Chrome and Microsoft Edge in headless mode to grab stored cookies and hijack user sessions.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

ShadyPanda Browser Extensions Campaign Exploits 4.3M Installs

The ShadyPanda campaign has amassed over 4.3 million installations of malicious Chrome and Edge browser extensions, evolving from legitimate tools into spyware over multiple phases. The extensions, discovered by Koi Security, engaged in affiliate fraud, search hijacking, and remote code execution. The campaign remains active on the Microsoft Edge Add-ons platform, with one extension having 3 million installs. The extensions collect browsing history, search queries, keystrokes, mouse clicks, and other sensitive data, exfiltrating it to domains in China. Users are advised to remove these extensions and reset their account passwords. Five of the extensions started as legitimate programs before malicious changes were introduced in mid-2024. The Clean Master extension was featured and verified by Google, allowing attackers to expand their user base and issue malicious updates without suspicion. The extensions engage in adversary-in-the-middle (AitM) attacks to facilitate credential theft, session hijacking, and arbitrary code injection into any website. The WeTab extension is still available for download as of the article's publication date. The extensions injected affiliate tracking codes silently every time the victim clicked on eBay, Amazon, or Booking.com links. They also deployed Google Analytics tracking to monetize browsing data, logging every website visit, search query, and click pattern. The Infinity V+ extension redirected web searches through the browser hijacker trovi.com. The extensions used malicious code to read victims’ cookies and send the data to nossl.dergoodting.com, creating unique identifiers without users’ consent or knowledge. They captured users’ input in the search box, profiling their interests in real time. The extensions checked an external server for instructions and executed arbitrary JavaScript code every hour, with full browser API access. They executed a payload designed to exfiltrate browser data to remote servers, collecting visited URLs, HTTP referrers, timestamps, persistent UUID4 identifiers, and complete browser fingerprints. The WeTab New Tab Page extension, posing as a productivity tool, operates as a sophisticated surveillance platform, sending user data to 17 different domains. The ShadyPanda campaign has been active for seven years, with initial submissions in 2018 and first signs of malicious activity in 2023. ShadyPanda leveraged trusted browser marketplaces to build user bases, operate legitimately for years, then quietly deploy malicious updates. A new Koi Security report identified a remote code execution backdoor affecting 300,000 users across five extensions, including Clean Master. The extensions had operated normally since 2018, until a mid-2024 update enabled hourly downloads of arbitrary JavaScript. The malware logged website visits, exfiltrated encrypted browsing histories, and gathered full browser fingerprints. A parallel spyware operation reached more than 4 million users through five additional Microsoft Edge extensions, most notably WeTab, which alone accounted for 3 million installs. These extensions collected every URL visited, search term, mouse click, and various browser identifiers, with traffic routed to servers in China.

Open in new tab

Malicious VSX Extension SleepyDuck Targets Solidity Developers

A malicious extension named SleepyDuck was discovered in the Open VSX registry. It targets Solidity developers and includes a remote access trojan. The extension was initially published as benign but was updated to include malicious capabilities after reaching 14,000 downloads. The malware uses Ethereum contracts to update its command and control address, ensuring persistence even if the original server is taken down. It triggers when a new code editor window is opened or a .sol file is selected, gathering system information and exfiltrating it to the server. The extension has been downloaded more than 53,000 times. The malware activates on editor startup, when a Solidity file is opened, or when the user runs the Solidity compile command. It collects system data and sets up a command execution sandbox. The malware finds the fastest Ethereum RPC provider to read the smart contract with the C2 information and reads updated instructions directly from the blockchain. The extension was first published on October 31, 2025, and updated to include malicious code on November 1, 2025. It has been observed using sandbox evasion techniques and can connect to the fastest Ethereum RPC provider to maintain communication with its command server. Open VSX has announced security enhancements to make it safer for its users, including shortening token lifetimes, quickly revoking leaked credentials, automated scans, and sharing key info with VS Code about emerging threats.

Open in new tab

AdaptixC2 Framework Weaponized by Russian Ransomware Groups

AdaptixC2, an open-source command-and-control (C2) framework, has been adopted by Russian ransomware groups for advanced attacks. The framework, initially released in August 2024, includes features such as encrypted communications, command execution, and credential managers. Threat actors associated with Fog and Akira ransomware, as well as an initial access broker, have leveraged AdaptixC2 in their operations. The framework's creator, RalfHacker, has ties to Russia's criminal underground, raising concerns about its misuse. AdaptixC2 has been used in fake help desk support call scams and through AI-generated PowerShell scripts.

Open in new tab

MuddyWater Expands Campaign with MuddyViper Backdoor Targeting Israeli Entities

The MuddyWater threat actor, linked to Iran and also known as Static Kitten, Mercury, and Seedworm, has conducted a global phishing campaign targeting over 100 organizations, including government entities, embassies, diplomatic missions, foreign affairs ministries, consulates, international organizations, and telecommunications firms in the Middle East and North Africa (MENA) region. The campaign used compromised email accounts to send phishing emails with malicious Microsoft Word documents containing macros that dropped and launched the Phoenix backdoor, version 4. This backdoor provided remote control over infected systems. The campaign was active starting August 19, 2025, and used a command-and-control (C2) server registered under the domain screenai[.]online. The attackers employed three remote monitoring and management (RMM) tools and a custom browser credential stealer, Chromium_Stealer. The malware and tools were hosted on a temporary Python-based HTTP service linked to NameCheap's servers. The campaign highlights the ongoing use of trusted communication channels by state-backed threat actors to evade defenses and infiltrate high-value targets. The server and server-side command-and-control (C2) component were taken down on August 24, 2025, likely indicating a new stage of the attack. The MuddyWater threat actor has also targeted Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors. The hacking group has delivered a previously undocumented backdoor called MuddyViper. The attacks also singled out one technology company based in Egypt. The attack chains involve spear-phishing and the exploitation of known vulnerabilities in VPN infrastructure to infiltrate networks and deploy legitimate remote management tools. The campaign uses a loader named Fooder that decrypts and executes the C/C++-based MuddyViper backdoor. The MuddyViper backdoor enables the attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. Additionally, the MuddyWater threat actor has deployed a new backdoor called UDPGangster that uses the User Datagram Protocol (UDP) for command-and-control (C2) purposes. The attack chain involves using spear-phishing tactics to distribute booby-trapped Microsoft Word documents that trigger the execution of a malicious payload once macros are enabled. The phishing messages impersonate the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs and purport to invite recipients to an online seminar titled "Presidential Elections and Results." The VBA script in the dropper file is equipped to conceal any sign of malicious activity by displaying a Hebrew-language decoy image from Israeli telecommunications provider Bezeq about supposed disconnection periods in the first week of November 2025 across various cities in the country. UDPGangster establishes persistence through Windows Registry modifications and boasts of various anti-analysis checks to resist efforts made by security researchers to take it apart. UDPGangster connects to an external server ("157.20.182[.]75") over UDP port 1269 to exfiltrate collected data, run commands using "cmd.exe," transmit files, update C2 server, and drop and execute additional payloads.

Open in new tab

GlassWorm malware targets OpenVSX, VS Code registries

The GlassWorm malware campaign has resurfaced with a third wave, adding 24 new packages to OpenVSX and Microsoft Visual Studio Marketplace. The malware uses invisible Unicode characters to hide malicious code and targets GitHub, NPM, and OpenVSX account credentials, as well as cryptocurrency wallet data. The campaign initially impacted 49 extensions, with an estimated 35,800 downloads, though this figure includes inflated numbers due to bots and visibility-boosting tactics. The Eclipse Foundation has revoked leaked tokens and introduced security measures, but the threat actors have pivoted to GitHub and now returned to OpenVSX with updated command-and-control endpoints. The malware's global reach includes systems in the United States, South America, Europe, Asia, and a government entity in the Middle East. Koi Security has accessed the attackers' server and shared victim data with law enforcement. The threat actors have posted a fresh transaction to the Solana blockchain, providing an updated C2 endpoint for downloading the next-stage payload. The attacker's server was inadvertently exposed, revealing a partial list of victims spanning the U.S., South America, Europe, and Asia, including a major government entity from the Middle East. The threat actor is assessed to be Russian-speaking and uses the open-source browser extension C2 framework named RedExt as part of their infrastructure. The third wave of Glassworm uses Rust-based implants packaged inside the extensions and targets popular tools and developer frameworks like Flutter, Vim, Yaml, Tailwind, Svelte, React Native, and Vue. Additionally, a malicious Rust package named "evm-units" was discovered, targeting Windows, macOS, and Linux systems. This package, uploaded to crates.io in mid-April 2025, attracted over 7,000 downloads and was designed to stealthily execute on developer machines by masquerading as an Ethereum Virtual Machine (EVM) unit helper tool. The package checks for the presence of Qihoo 360 antivirus and alters its execution flow accordingly. The references to EVM and Uniswap indicate that the supply chain incident is designed to target developers in the Web3 space.

Open in new tab