Full Report
A threat actor called TigerJack is constantly targeting developers with malicious extensions published on Microsoft's Visual Code (VSCode) marketplace and OpenVSX registry to steal cryptocurrency and plant backdoors. [...]
Analysis Summary
# Threat Actor: TigerJack
## Attribution & Identity
* **Threat Actor Name:** TigerJack
* **Associated Groups/Aliases:** Primarily identified as targeting developers via malicious VSCode extensions. Described as running a "coordinated multi-account operation" using accounts disguised as independent developers with credible backgrounds (GitHub repositories, branding, detailed feature lists).
## Activity Summary
TigerJack is actively targeting developers by publishing malicious extensions on Microsoft's Visual Code (VSCode) marketplace and the OpenVSX registry. Since the beginning of the year, the actor has distributed at least 11 malicious VSCode extensions. Specific campaigns involve:
* **Code Exfiltration:** Extensions like *C++ Playground* register listeners (`onDidChangeTextDocument`) to capture keystrokes/edits in C++ files approximately 500 milliseconds after changes and exfiltrate the source code to external endpoints.
* **Cryptocurrency Mining:** The *HTTP Format* extension secretly runs a CoinIMP miner in the background, utilizing the host's full CPU power due to a lack of resource restrictions.
* **Arbitrary Code Execution (ACE):** Extensions such as *cppplayground*, *httpformat*, and *pythonformat* periodically fetch and execute remote JavaScript code from a hardcoded address (`ab498[.]pythonanywhere[.]com/static/in4[.]js`), allowing dynamic payload deployment without updating the extension.
## Tactics, Techniques & Procedures
* **T1588.002 - Obtain Capabilities: Compromise Software Supply Chain:** Injecting malicious code into legitimate-looking extensions hosted on official/alternative marketplaces (VSCode Marketplace and OpenVSX).
* **T1059.003 - Command and Scripting Interpreter: JavaScript:** Executing arbitrary JavaScript payloads fetched from C2 infrastructure for ACE.
* **T1056.001 - Input Capture: Keystroke Monitoring:** Using event listeners in extensions to capture user input (keystrokes/code edits) in near real-time.
* **T1496 - Resource Hijacking:** Deploying cryptocurrency miners (CoinIMP) that consume significant host processing power.
* **T1071.001 - Application Layer Protocol: Web Protocols:** Using standard HTTP/S interaction to communicate with C2 infrastructure to retrieve payloads.
## Targeting
* **Sectors:** Software Development/Technology (Developers using VSCode and compatible editors).
* **Geography:** Not explicitly detailed, but targeting a global audience of developers using VSCode/OpenVSX.
* **Victims:** Developers downloading compromised extensions. Specific extensions mentioned (_C++ Playground_, _HTTP Format_) were downloaded 17,000 times before removal from the VSCode marketplace. Victims include users of VSCode-compatible IDEs like Cursor, which defaults to OpenVSX.
## Tools & Infrastructure
* **Malware families used:** CoinIMP (cryptocurrency miner). Generic, dynamically loaded JavaScript payloads for advanced actions.
* **Infrastructure (C2, domains, IPs):**
* Remote code execution endpoint: `ab498[.]pythonanywhere[.]com/static/in4[.]js` (Polled every 20 minutes).
* Code exfiltration endpoints (Multiple external endpoints used by the source code stealer).
## Implications
TigerJack presents a significant supply chain threat to the developer ecosystem. Their persistence across multiple marketplaces (VSCode and OpenVSX) and ability to dynamically update payloads post-installation make them highly dangerous. The most menacing capability is the potential for **arbitrary code execution**, allowing the actor to transition from simple theft/mining to deploying ransomware, stealing sensitive credentials/API keys, or using compromised developer machines as initial access points into larger corporate networks.
## Mitigations
* Exercise extreme caution when installing VSCode extensions, primarily relying on extensions from well-vetted, highly popular publishers.
* Developers using VSCode-compatible editors relying on OpenVSX should scrutinize installed packages, as this registry appears less responsive to take-down requests.
* Implement least privilege principles on development workstations to limit the blast radius if a malicious extension is executed.
* Monitor outbound network traffic for unusual connections from development environments to known malicious domains or suspicious, high-volume resource usage indicative of crypto-mining.