TigerJack Malware Infects Over 17,000 Developers, Steals Code, and Mines Crypto via Malicious VSCode Extensions
Published on October 15, 2025
- Multi-faceted attack: A threat actor deployed extensions that steal source code, hijack CPUs for cryptocurrency mining, and install remote backdoors.
- Widespread infection: At least 11 malicious VSCode extensions across multiple publisher accounts infected over 17,000 developers before being removed.
- Persistent threat: Some remain active on alternative platforms, and the actor continues to republish them under new names.
A persistent threat actor has been systematically infiltrating developer environments through malicious Visual Studio Code (VSCode) extensions. This campaign employs a sophisticated, multi-pronged strategy that includes real-time code theft, covert cryptocurrency mining, and the installation of persistent backdoors for remote code execution (RCE).
By publishing functional and seemingly legitimate extensions, the actor, tracked as TigerJack, has successfully compromised thousands of developers, highlighting significant risks in the software supply chain and developer cybersecurity.
Methods of Operation
The Tiger Jack malware operates through several extensions that deliver on their promised functionality while performing malicious activities in the background, according to a cybersecurity report by Koi.
For example, the "C++ Playground" extension, which gained significant traction, was found to exfiltrate a developer's complete source code in real-time to an external server.
Another extension, "HTTP Format," secretly utilized the host machine's CPU to mine cryptocurrency using hardcoded credentials for the CoinIMP service.
More alarmingly, other extensions were discovered to contain a backdoor mechanism, enabling the threat actor to fetch and execute arbitrary code, granting them complete control over the compromised system.
Extensions:
- ab-498.cppplayground
- ab-498.httpformat
- ab-498.pythonformat
- ab-498.cppformat
- 498.cppplayground
- 498.cppformat
- 498.httpformat
- 498.pythonformat
- 498-00.cppplayground
- 498-00.cppformat
- 498-00.pythonformat
- 498-00.testwebext
- 498-00.httpformat
A Fragmented and Vulnerable Ecosystem
This campaign exposes critical weaknesses in the security posture of developer marketplaces. Although Microsoft eventually removed the malicious extensions after they had infected over 17,000 users, the removal was done silently without notifying affected developers.
Furthermore, some of these malicious VSCode extensions remain active and available for download on alternative marketplaces like OpenVSX, which may lack robust security scanning.
The threat actor has also demonstrated resilience by republishing the same malware under new publisher accounts, creating a "shell game" that evades simple takedown measures and continues to place developers at risk.
Last month, the first known instance of an obfuscated AutoIt loader being used to deliver NBMiner was observed.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular