Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

TigerJack malicious VSCode/OpenVSX extensions

Malware Activity
First reported
Last updated
Happening score
H score 34
2 unique sources, 2 articles

Summary

Hide ▲

The TigerJack malware activity is using VSCode and OpenVSX extensions to target developers with source-code theft, crypto mining, and backdoor-style remote execution. At least 11 malicious extensions have been published since early 2025, including C++ Playground and HTTP Format, which were later republished under new accounts after removal. One extension uses an `onDidChangeTextDocument` listener to exfiltrate code, another runs a CoinIMP miner, and related variants fetch JavaScript from ab498.pythonanywhere.com/static/in4.js every 20 minutes to execute arbitrary payloads.

Related Happenings

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...

Open Happening

GlassWorm OpenVSX sleeper extension campaign

Campaign
First: 28.04.2026 00:41 Last: 28.04.2026 00:41 Sources 1

About this happening: The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...

Open Happening

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
First: 27.04.2026 14:23 Last: 27.04.2026 14:23 Sources 1

About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...

Open Happening

GlassWorm Zig dropper infecting developer IDEs

Malware Activity
First: 10.04.2026 16:23 Last: 10.04.2026 16:23 Sources 1

About this happening: The **GlassWorm** malware set now uses a **Zig dropper** that can silently infect **all VS Code-based IDEs** on a developer's machine, widening the reach of the compromise. The pa...

Open Happening

GlassWorm supply-chain malware wave across GitHub, npm, and VSCode/OpenVSX

Malware Activity
First: 17.03.2026 23:42 Last: 17.03.2026 23:42 Sources 1

About this happening: **GlassWorm** returned in a **new coordinated supply-chain attack** that compromised **433 components** across **GitHub, npm, and VSCode/OpenVSX**, creating a broad software-distr...

Latest development: 28.04.2026 00:41

GlassWorm returned in an OpenVSX supply-chain wave with 73 cloned sleeper extensions that were benign at upload and later turned malicious after an update, with six already activated to deliver malware. The extensions act as thin loaders that fetch payloads through GitHub-hosted secondary VSIX packages, platform-specific .node modules, or heavily obfuscated JavaScript, shifting the campaign toward submitting innocuous extensions first and introducing the malicious payload later.

Open Happening

Timeline

  1. 15.10.2025 00:35 3 articles · 7mo ago

    TigerJack malicious extension campaign disclosed

    Initial Disclosure

    TigerJack is targeting developers through malicious extensions on Microsoft's Visual Code (VSCode) marketplace and the OpenVSX registry, distributing at least 11 malicious VSCode extensions since the beginning of the year. Removed packages such as C++ Playground and HTTP Format were reintroduced under new accounts, with C++ Playground using an `onDidChangeTextDocument` listener to exfiltrate C++ source code, HTTP Format running a CoinIMP miner, and other variants fetching JavaScript from `ab498.pythonanywhere.com/static/in4.js` every 20 minutes for arbitrary code execution and backdoor-style payload delivery; Koi Security reported the findings to OpenVSX, which had not responded by publication time.

    Show sources
    Open in new tab