Coordinated multi-account operation: Koi researchers found 11 extensions across multiple accounts, making it a coordinated operation.”This multi-account strategy provides redundancy when one account gets flagged, creates the illusion of independent developers, and demonstrates professional-level social engineering: GitHub repositories for credibility, consistent branding across extensions, detailed feature lists, professional marketplace presentations, and strategic naming that mimics legitimate tools (cppformat, pythonformat, httpformat),” the researchers said.The analysis traced the malicious GitHub accounts back to a Facebook profile under the name “Zubaer Ahmed,” pointing to a likely operational slip that exposed the attacker’s real identity. The profile has since been taken down.For developers and organizations relying heavily on VSCode or OpenVSX, the extensions could compromise not just a codebase but entire build environments or deployment pipelines, Sood noted. Compromised extensions can silently exfiltrate or tamper with source code that later moves into production, effectively turning VSCode into a vector for software supply-chain attacks. In collaborative environments, a single infected deployment could compromise shared repositories or inject backdoors into dependencies.Koi researchers emphasized that TigerJack’s re-emergence reveals a deeper weakness in the extension ecosystem, with developer tools still relying on reputation and user ratings, rather than code auditing or signed binaries. “OpenVSX and other alternative marketplaces appear to have virtually no security detection mechanisms in place,” they said. “While Microsoft eventually identifies threats after months of damage, these platforms operate with minimal or no malware scanning whatsoever.”Individuals using either of the impacted platforms should vet their extensions thoroughly and only download packages from reputable sources, Sood added. “Additionally, users should implement security measures that can raise alarms about potential vulnerabilities so users have the opportunity to close them before they’re exploited.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4072829/tigerjacks-malicious-vscode-extensions-mine-steal-and-stay-hidden.html
