CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

TigerJack Campaign Targets Developers with Malicious VSCode Extensions

First reported
Last updated
3 unique sources, 12 articles

Summary

Hide ▲

The TigerJack campaign continues to target developers with malicious Visual Studio Code (VSCode) extensions, which have now been found to leak access tokens posing a critical software supply chain risk. The campaign has distributed at least 11 malicious VSCode extensions since the beginning of the year, with two extensions, C++ Playground and HTTP Format, removed from VSCode but remaining on OpenVSX. These extensions steal cryptocurrency, plant backdoors, and exfiltrate source code. The threat actor republishes the same malicious code under new names, making detection and removal challenging. Developers are advised to be cautious when downloading extensions from these platforms. Over 100 VSCode extensions were found to leak access tokens, allowing attackers to distribute malicious updates. The leaked tokens include AI provider secrets, cloud service provider secrets, and database secrets. Microsoft has revoked the leaked PATs and is adding secret scanning capabilities to enhance security. Organizations are recommended to develop an extension inventory and consider a centralized allowlist for extensions. A new malicious extension named susvsex with basic ransomware capabilities was published on Microsoft's official VS Code marketplace. The extension was published by 'suspublisher18' and its malicious functionality was openly advertised in its description. The extension's malicious functionality includes file theft to a remote server and encryption of all files with AES-256-CBC. The extension activates on any event, including on installation or when launching VS Code, initializing the 'extension.js' file that contains its hardcoded variables (IP, encryption keys, command-and-control address). The extension calls a function named zipUploadAndEncrypt which checks the presence of a marker text file, and starts the encryption routine. The extension creates a .ZIP archive of the files in the defined target directory and exfiltrates them to the hardcoded C2 address. All the files are then replaced with their encrypted versions. The extension polls a private GitHub repository for commands, periodically checking an 'index.html' file that uses a PAT token for authentication, and tries to execute any commands there. The owner of the repository is likely based in Azerbaijan. The extension is an overt threat and may be the result of an experiment to test Microsoft's vetting process. Secure Annex labels susvsex an 'AI slop' with its malicious actions exposed in the README file, but notes that a few tweaks would make it far more dangerous. Microsoft ignored the report about the extension and did not remove it from the VS Code registry initially, but it was no longer available by the time the article was published. Two new malicious extensions, Bitcoin Black and Codo AI, were found on Microsoft's Visual Studio Code Marketplace. Bitcoin Black masquerades as a color theme and Codo AI as an AI assistant, both published under the developer name 'BigBlack'. Bitcoin Black features a '*' activation event that executes on every VSCode action and can run PowerShell code. Bitcoin Black uses a batch script to download a DLL file and an executable, with the activity occurring with the window hidden. Codo AI includes code assistance functionality via ChatGPT or DeepSeek but also has a malicious section. Both extensions deliver a legitimate executable of the Lightshot screenshot tool and a malicious DLL file that deploys the infostealer under the name runtime.exe. The malware creates a directory in '%APPDATA%\Local\' and stores stolen data including screenshots, WiFi credentials, system information, and cryptocurrency wallets. The malware steals cookies and hijacks user sessions by launching Chrome and Edge browsers in headless mode. The malware steals cryptocurrency wallets like Phantom, Metamask, Exodus, and looks for passwords and credentials. The malicious DLL is flagged as a threat by 29 out of the 72 antivirus engines on Virus Total. Microsoft has removed the extensions BigBlack.bitcoin-black, BigBlack.codo-ai, and BigBlack.mrbigblacktheme from the Marketplace. The extensions activate on every VS Code action and embed malicious functionality within a working tool to bypass detection. Earlier versions of the extensions executed a PowerShell script to download a password-protected ZIP archive from an external server. Subsequent versions of the extensions used a batch script to download the executable and DLL, hiding the PowerShell window. The legitimate Lightshot binary is used to load the rogue DLL via DLL hijacking. The rogue DLL gathers clipboard contents, installed apps, running processes, desktop screenshots, Wi-Fi credentials, and detailed system information. The malware launches Google Chrome and Microsoft Edge in headless mode to grab stored cookies and hijack user sessions. A campaign involving 19 Visual Studio (VS) Code extensions that embed malware inside their dependency folders has been uncovered by cybersecurity researchers. Active since February 2025 but identified on December 2, the operation used a legitimate npm package to disguise harmful files and bundled malicious binaries inside an archive masquerading as a PNG image. This approach, observed by ReversingLabs (RL), enabled attackers to bypass conventional checks and target developers directly. Some extensions imitate popular tools, while others advertise new features but secretly execute unwanted code. In this new campaign, attackers embedded a modified version of the npm package path-is-absolute inside the extensions’ node_modules folders. The original package is widely used, with more than 9 billion downloads since 2021, but the altered version included a class designed to trigger malware when VS Code starts. The attackers also included a file named banner.png, which appeared harmless but opened as an archive containing two binaries. The dropper launched these files via cmstp.exe, a common living-off-the-land binary (LOLBIN). One executable closed the process by simulating a keypress, while the other was a Rust-based Trojan still being analyzed at the time of this report. Although the techniques differed, the goal remained the same: covertly execute malware through trusted components. Detecting malicious VS Code extensions has become increasingly urgent, ReversingLabs warned. The firm said detections grew from 27 in 2024 to 105 in the first 10 months of 2025. To reduce risk, teams are encouraged to inspect extensions before installation, audit all bundled dependencies, and use security tools capable of evaluating package behavior. All the mentioned extensions have been reported to Microsoft. A new malware campaign targeting developers with the Evelyn Stealer malware has been identified. This malware abuses VS Code extensions to exfiltrate sensitive information, including developer credentials and cryptocurrency-related data. The malware harvests clipboard content, installed apps, cryptocurrency wallets, running processes, desktop screenshots, stored Wi-Fi credentials, system information, and credentials and stored cookies from Google Chrome and Microsoft Edge. The malware implements safeguards to detect analysis and virtual environments and terminates active browser processes to ensure seamless data collection. The malware uses specific command-line flags to launch browsers in a stealthy manner, preventing detection and forensic traces. The DLL downloader creates a mutual exclusion (mutex) object to ensure only one instance of the malware can run at any given time. The Evelyn Stealer campaign targets organizations with software development teams that rely on VS Code and third-party extensions. The malware exfiltrates collected data to a remote server (server09.mentality[.]cloud) over FTP in the form of a ZIP file. Two malicious extensions in Microsoft’s Visual Studio Code (VSCode) Marketplace, collectively installed 1.5 million times, exfiltrate developer data to China-based servers. The extensions are advertised as AI-based coding assistants and provide the promised functionality but do not disclose the upload activity or ask users for consent to deliver data to a remote server. The extensions use three distinct data-collection mechanisms: real-time monitoring of files opened in the VS Code client, server-controlled file-harvesting commands, and zero-pixel iframes in the extension’s webview to load four commercial analytics SDKs. The extensions exfiltrate entire file contents and changes to the attackers’ servers, harvest up to 50 files from the victim’s workspace each time, and use SDKs to track user behavior, build identity profiles, fingerprint devices, and monitor activity inside the editor. The extensions pose risks including the exposure of private source code, configuration files, cloud service credentials, and .env files containing API keys and credentials. The extensions are part of a campaign dubbed 'MaliciousCorgi' and share the same code for stealing developer data and use the same spyware infrastructure and communicate with the same backend servers. The extensions are still present on the marketplace at the time of publishing: ChatGPT – 中文版 (publisher: WhenSunset, 1.34 million installs) and ChatMoss (CodeMoss) (publisher: zhukunpeng, 150k installs).

Timeline

  1. 06.11.2025 23:52 2 articles · 2mo ago

    New Malicious Extension with Ransomware Capabilities Published

    A new malicious extension named susvsex with basic ransomware capabilities was published on Microsoft's official VS Code marketplace. The extension was published by 'suspublisher18' and its malicious functionality was openly advertised in its description. The extension was uploaded on November 5, 2025, with the description 'Just testing' and the email address 'donotsupport@example[.]com.' The extension's description explicitly states it automatically zips, uploads, and encrypts files from C:\Users\Public\testing (Windows) or /tmp/testing (macOS) on first launch. The extension was removed from the official VS Code Extension Marketplace by Microsoft on November 6, 2025. The extension's TARGET_DIRECTORY is configured to be a test staging directory, but it can be easily updated with an extension release or as a command sent through the C2 channel. The extension includes extraneous comments, README files with execution instructions, and placeholder variables, indicating it is 'vibe coded' malware. The extension package accidentally included decryption tools, command and control server code, and GitHub access keys to the C2 server, which other people could use to take over the C2.

    Show sources
    Open in new tab
  2. 15.10.2025 17:16 2 articles · 3mo ago

    Microsoft Revokes Leaked PATs and Adds Secret Scanning

    Microsoft revoked the leaked personal access tokens (PATs) and is adding secret scanning capabilities to block extensions with verified secrets and notify developers when secrets are detected. The cloud security firm Wiz identified over 550 validated secrets across more than 500 extensions from hundreds of distinct publishers. The 550 secrets fall under 67 distinct types of secrets, including AI provider secrets, cloud service provider secrets, and database secrets. The issue highlights the continued risks of extensions and plugins, and supply chain security in general.

    Show sources
    Open in new tab
  3. 15.10.2025 00:35 11 articles · 3mo ago

    TigerJack Campaign Distributes Malicious VSCode Extensions

    Since the beginning of the year, TigerJack has distributed at least 11 malicious VSCode extensions. Two extensions, C++ Playground and HTTP Format, were removed from the VSCode marketplace but remain available on OpenVSX. These extensions steal cryptocurrency, plant backdoors, and exfiltrate source code. The threat actor republishes the same malicious code under new names, making detection and removal challenging. The extensions are disguised as legitimate tools and use various techniques to exfiltrate data and mine cryptocurrency. Developers are advised to be cautious when downloading extensions from these platforms. Over 100 VSCode extensions were found to leak access tokens, allowing attackers to distribute malicious updates. The leaked tokens include AI provider secrets, cloud service provider secrets, and database secrets. The extensions that leaked access tokens included themes and other types of extensions. The issue extends to internal or vendor-specific extensions used by organizations. Two new malicious extensions, Bitcoin Black and Codo AI, were found on Microsoft's Visual Studio Code Marketplace. Bitcoin Black masquerades as a color theme and Codo AI as an AI assistant, both published under the developer name 'BigBlack'. Bitcoin Black features a '*' activation event that executes on every VSCode action and can run PowerShell code. Bitcoin Black uses a batch script to download a DLL file and an executable, with the activity occurring with the window hidden. Codo AI includes code assistance functionality via ChatGPT or DeepSeek but also has a malicious section. Both extensions deliver a legitimate executable of the Lightshot screenshot tool and a malicious DLL file that deploys the infostealer under the name runtime.exe. The malware creates a directory in '%APPDATA%\Local\' and stores stolen data including screenshots, WiFi credentials, system information, and cryptocurrency wallets. The malware steals cookies and hijacks user sessions by launching Chrome and Edge browsers in headless mode. The malware steals cryptocurrency wallets like Phantom, Metamask, Exodus, and looks for passwords and credentials. The malicious DLL is flagged as a threat by 29 out of the 72 antivirus engines on Virus Total. Microsoft has removed the extensions BigBlack.bitcoin-black, BigBlack.codo-ai, and BigBlack.mrbigblacktheme from the Marketplace. The extensions activate on every VS Code action and embed malicious functionality within a working tool to bypass detection. Earlier versions of the extensions executed a PowerShell script to download a password-protected ZIP archive from an external server. Subsequent versions of the extensions used a batch script to download the executable and DLL, hiding the PowerShell window. The legitimate Lightshot binary is used to load the rogue DLL via DLL hijacking. The rogue DLL gathers clipboard contents, installed apps, running processes, desktop screenshots, Wi-Fi credentials, and detailed system information. The malware launches Google Chrome and Microsoft Edge in headless mode to grab stored cookies and hijack user sessions. A campaign involving 19 Visual Studio (VS) Code extensions that embed malware inside their dependency folders has been uncovered by cybersecurity researchers. Active since February 2025 but identified on December 2, the operation used a legitimate npm package to disguise harmful files and bundled malicious binaries inside an archive masquerading as a PNG image. This approach, observed by ReversingLabs (RL), enabled attackers to bypass conventional checks and target developers directly. Some extensions imitate popular tools, while others advertise new features but secretly execute unwanted code. In this new campaign, attackers embedded a modified version of the npm package path-is-absolute inside the extensions’ node_modules folders. The original package is widely used, with more than 9 billion downloads since 2021, but the altered version included a class designed to trigger malware when VS Code starts. The attackers also included a file named banner.png, which appeared harmless but opened as an archive containing two binaries. The dropper launched these files via cmstp.exe, a common living-off-the-land binary (LOLBIN). One executable closed the process by simulating a keypress, while the other was a Rust-based Trojan still being analyzed at the time of this report. Although the techniques differed, the goal remained the same: covertly execute malware through trusted components. Detecting malicious VS Code extensions has become increasingly urgent, ReversingLabs warned. The firm said detections grew from 27 in 2024 to 105 in the first 10 months of 2025. To reduce risk, teams are encouraged to inspect extensions before installation, audit all bundled dependencies, and use security tools capable of evaluating package behavior. All the mentioned extensions have been reported to Microsoft. A new malware campaign targeting developers with the Evelyn Stealer malware has been identified. This malware abuses VS Code extensions to exfiltrate sensitive information, including developer credentials and cryptocurrency-related data. The malware harvests clipboard content, installed apps, cryptocurrency wallets, running processes, desktop screenshots, stored Wi-Fi credentials, system information, and credentials and stored cookies from Google Chrome and Microsoft Edge. The malware implements safeguards to detect analysis and virtual environments and terminates active browser processes to ensure seamless data collection. The malware uses specific command-line flags to launch browsers in a stealthy manner, preventing detection and forensic traces. The DLL downloader creates a mutual exclusion (mutex) object to ensure only one instance of the malware can run at any given time. The Evelyn Stealer campaign targets organizations with software development teams that rely on VS Code and third-party extensions. The malware exfiltrates collected data to a remote server (server09.mentality[.]cloud) over FTP in the form of a ZIP file. Two malicious extensions in Microsoft’s Visual Studio Code (VSCode) Marketplace, collectively installed 1.5 million times, exfiltrate developer data to China-based servers. The extensions are advertised as AI-based coding assistants and provide the promised functionality but do not disclose the upload activity or ask users for consent to deliver data to a remote server. The extensions use three distinct data-collection mechanisms: real-time monitoring of files opened in the VS Code client, server-controlled file-harvesting commands, and zero-pixel iframes in the extension’s webview to load four commercial analytics SDKs. The extensions exfiltrate entire file contents and changes to the attackers’ servers, harvest up to 50 files from the victim’s workspace each time, and use SDKs to track user behavior, build identity profiles, fingerprint devices, and monitor activity inside the editor. The extensions pose risks including the exposure of private source code, configuration files, cloud service credentials, and .env files containing API keys and credentials. The extensions are part of a campaign dubbed 'MaliciousCorgi' and share the same code for stealing developer data and use the same spyware infrastructure and communicate with the same backend servers. The extensions are still present on the marketplace at the time of publishing: ChatGPT – 中文版 (publisher: WhenSunset, 1.34 million installs) and ChatMoss (CodeMoss) (publisher: zhukunpeng, 150k installs).

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Hackers Exploit Misconfigured Security Testing Apps to Breach Cloud Environments

Threat actors are exploiting misconfigured security testing applications, such as DVWA, OWASP Juice Shop, Hackazon, and bWAPP, to gain access to cloud environments of Fortune 500 companies and security vendors. These applications, intended to be intentionally vulnerable for training and testing, pose a significant risk when exposed on the public internet and executed from privileged cloud accounts. Researchers from Pentera discovered 1,926 live, vulnerable applications linked to overly privileged IAM roles, deployed on AWS, GCP, and Azure. Many instances used default credentials and exposed cloud credential sets, allowing attackers to deploy crypto miners, webshells, and gain admin access to cloud environments. Active exploitation was confirmed, with evidence of crypto mining using XMRig, deployment of webshells, and advanced persistence mechanisms. Security vendors such as F5, Cloudflare, and Palo Alto Networks were among those affected.

Open in new tab

VoidLink Malware Framework Targets Cloud and Container Environments

A new advanced Linux malware framework, codenamed VoidLink, has been discovered targeting cloud and container environments. Developed by a single person with the help of an artificial intelligence model, VoidLink is a highly modular and flexible framework designed for long-term, stealthy access to Linux-based systems. It includes custom loaders, implants, rootkits, and over 30 plugins, enabling operators to adapt its capabilities over time. The malware is engineered to detect major cloud environments and adapt its behavior when running within Docker containers or Kubernetes pods. It also gathers credentials associated with cloud environments and source code version control systems like Git. VoidLink's capabilities include anti-forensics, reconnaissance, credential harvesting, lateral movement, and persistence, making it a full-fledged post-exploitation framework. The framework is written primarily in the Zig programming language and includes plans to extend its detection capabilities to additional cloud environments such as Huawei, DigitalOcean, and Vultr. VoidLink's documentation suggests it is intended for commercial purposes, and its development environment includes debug symbols and other development artifacts, indicating in-progress builds. VoidLink uses a custom encrypted messaging layer called 'VoidStream' to camouflage traffic and includes 35 plugins in the default configuration. The framework employs rootkit modules to hide processes, files, network sockets, or the rootkit itself, and includes advanced anti-analysis mechanisms to detect debuggers, perform runtime code encryption, and integrity checks. VoidLink's anti-forensic modules erase logs, shell history, login records, and securely overwrite all files dropped on the host, minimizing exposure to forensic investigations. VoidLink was developed with the help of an artificial intelligence model, reaching a functional iteration in under a week. The developer used Spec-Driven Development (SDD) to define the project's goals and set constraints, with the AI generating a multi-team development plan. VoidLink reached 88,000 lines of code by early December 2025, and researchers successfully reproduced the workflow, confirming that an AI agent can generate code similar to VoidLink's. The developer utilized regular checkpoints to check in on the AI-generated code to ensure that the model was developing it as instructed and that the code worked.

Open in new tab

Target's internal source code allegedly stolen and offered for sale

Hackers claim to have stolen and are selling internal source code from Target Corporation. They published sample repositories on Gitea and advertised a larger dataset for sale on an underground forum. Target's developer Git server, git.target.com, became inaccessible after the claims were made public. Multiple current and former Target employees have confirmed the authenticity of the leaked source code and documentation. Internal communications announced an 'accelerated' security change restricting access to Target's Enterprise Git server. The leaked data includes references to real internal systems and proprietary project codenames, raising concerns about the scope and sensitivity of the stolen data. Security researcher Alon Gal identified a Target employee workstation compromised by infostealer malware in late September 2025 with extensive access to internal services, potentially linked to the data leak.

Open in new tab

DarkSpectre Campaigns Target 8.8 Million Users with Malicious Browser Extensions

A Chinese threat actor, DarkSpectre, has been linked to three malicious browser extension campaigns—ShadyPanda, GhostPoster, and The Zoom Stealer—which have collectively impacted 8.8 million users across Google Chrome, Microsoft Edge, and Mozilla Firefox over seven years. The campaigns facilitate data theft, search query hijacking, affiliate fraud, and corporate espionage by exfiltrating meeting-related data from video conferencing platforms. Additionally, five new malicious Chrome extensions impersonating HR and ERP platforms have been discovered, targeting Workday, NetSuite, and SAP SuccessFactors to hijack accounts. These extensions steal authentication tokens, block incident response capabilities, and enable complete account takeover through session hijacking. The extensions, some of which were recently taken down, used delayed activation and benign updates to evade detection and build trust before deploying malicious functionality. The extensions were designed to look polished and professional, with some claiming to contain security features to prevent account compromise. They engaged in a range of actions to take control of accounts, including extracting authentication cookies and uploading them to a command and control (C2) server every 60 seconds. The extensions prevented passwords from being changed to help ensure stolen access tokens remained valid indefinitely and prevented security teams from locking out compromised accounts during remediation. Administrators attempting to disable an affected user's account encountered a blank page and redirect loop. Socket recommended that organizations implement Chrome Enterprise extension allowlists to prevent installation of unauthorized extensions and monitor for extensions targeting the same enterprise platforms with similar permission requests.

Open in new tab

ErrTraffic Service Enables Automated ClickFix Attacks via Fake Browser Glitches

A new cybercrime tool called ErrTraffic automates ClickFix attacks by generating fake browser glitches on compromised websites to trick users into downloading malware or following malicious instructions. The service promises high conversion rates and delivers architecture-specific payloads. ClickFix attacks have gained popularity among cybercriminals and state-sponsored actors for bypassing security controls. ErrTraffic is sold for a one-time purchase of $800 and offers a user-friendly panel for campaign management. It modifies the DOM of compromised websites to display visual glitches, prompting victims to execute malicious commands. Payloads include Lumma and Vidar info-stealers on Windows, Cerberus trojan on Android, AMOS stealer on macOS, and unspecified Linux backdoors.

Open in new tab