TigerJack malicious VSCode/OpenVSX extensions
Malware Activity
Summary
Hide ▲
Show ▼
The TigerJack malware activity is using VSCode and OpenVSX extensions to target developers with source-code theft, crypto mining, and backdoor-style remote execution. At least 11 malicious extensions have been published since early 2025, including C++ Playground and HTTP Format, which were later republished under new accounts after removal. One extension uses an `onDidChangeTextDocument` listener to exfiltrate code, another runs a CoinIMP miner, and related variants fetch JavaScript from ab498.pythonanywhere.com/static/in4.js every 20 minutes to execute arbitrary payloads.
Related Happenings
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
H score68
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Latest development: 09.06.2026 18:42
On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.
GlassWorm OpenVSX sleeper extension campaign
Campaign
H score45
First: 28.04.2026 00:41
Last: 28.04.2026 00:41
Sources 1
About this happening:
The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...
GlassWorm OpenVSX sleeper extension campaign
CampaignAbout this happening: The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...
GlassWorm v2 cloned VS Code extension loaders
Malware Activity
H score30
First: 27.04.2026 14:23
Last: 27.04.2026 14:23
Sources 1
About this happening:
The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...
GlassWorm v2 cloned VS Code extension loaders
Malware ActivityAbout this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...
GlassWorm Zig dropper infecting developer IDEs
Malware Activity
H score29
First: 10.04.2026 16:23
Last: 10.04.2026 16:23
Sources 1
About this happening:
The **GlassWorm** malware set now uses a **Zig dropper** that can silently infect **all VS Code-based IDEs** on a developer's machine, widening the reach of the compromise. The pa...
GlassWorm Zig dropper infecting developer IDEs
Malware ActivityAbout this happening: The **GlassWorm** malware set now uses a **Zig dropper** that can silently infect **all VS Code-based IDEs** on a developer's machine, widening the reach of the compromise. The pa...
GlassWorm supply-chain malware wave across GitHub, npm, and VSCode/OpenVSX
Malware Activity
H score35
First: 17.03.2026 23:42
Last: 17.03.2026 23:42
Sources 1
About this happening:
**GlassWorm** returned in a **new coordinated supply-chain attack** that compromised **433 components** across **GitHub, npm, and VSCode/OpenVSX**, creating a broad software-distr...
GlassWorm supply-chain malware wave across GitHub, npm, and VSCode/OpenVSX
Malware ActivityAbout this happening: **GlassWorm** returned in a **new coordinated supply-chain attack** that compromised **433 components** across **GitHub, npm, and VSCode/OpenVSX**, creating a broad software-distr...
Latest development: 28.04.2026 00:41
GlassWorm returned in an OpenVSX supply-chain wave with 73 cloned sleeper extensions that were benign at upload and later turned malicious after an update, with six already activated to deliver malware. The extensions act as thin loaders that fetch payloads through GitHub-hosted secondary VSIX packages, platform-specific .node modules, or heavily obfuscated JavaScript, shifting the campaign toward submitting innocuous extensions first and introducing the malicious payload later.
Timeline
-
15.10.2025 00:35 3 articles · 8mo ago
TigerJack malicious extension campaign disclosed
Initial DisclosureTigerJack is targeting developers through malicious extensions on Microsoft's Visual Code (VSCode) marketplace and the OpenVSX registry, distributing at least 11 malicious VSCode extensions since the beginning of the year. Removed packages such as C++ Playground and HTTP Format were reintroduced under new accounts, with C++ Playground using an `onDidChangeTextDocument` listener to exfiltrate C++ source code, HTTP Format running a CoinIMP miner, and other variants fetching JavaScript from `ab498.pythonanywhere.com/static/in4.js` every 20 minutes for arbitrary code execution and backdoor-style payload delivery; Koi Security reported the findings to OpenVSX, which had not responded by publication time.
Show sources
- Malicious crypto-stealing VSCode extensions resurface on OpenVSX — www.bleepingcomputer.com — 15.10.2025 00:35
- Malicious crypto-stealing VSCode extensions resurface on OpenVSX — www.bleepingcomputer.com — 15.10.2025 00:35
- Over 100 VS Code Extensions Exposed Developers to Hidden Supply Chain Risks — thehackernews.com — 15.10.2025 17:16