TigerJack
TigerJack is a threat actor tracked for uploading malicious Visual Studio Code extensions to the official VS Code Marketplace and the OpenVSX registry, targeting developers. The reported activity involved at least 11 malicious VSCode extensions since the beginning of the year, with objectives including cryptocurrency theft and backdoor injection. The campaign has been described as distributing tainted plugins across multiple marketplaces simultaneously. Known malicious extensions attributed to TigerJack include “C++ Playground” and “HTTP Format,” which reappeared in OpenVSX after removal from the VS Code Marketplace. Reported capabilities include source code exfiltration to multiple endpoints via “C++ Playground,” covert deployment of a CoinIMP cryptominer via “HTTP Format,” and retrieval and execution of JavaScript code to dynamically deliver additional payloads without requiring extension updates. Based on the cited reporting, TigerJack’s extensions could support theft of credentials and API keys, ransomware deployment, intrusion into corporate networks through compromised developer endpoints, injection of backdoors into developers’ projects, and real-time monitoring of developer activity. No nation-state attribution is directly stated in the provided content. No aliases or sub-groups beyond the name TigerJack are directly mentioned in the content.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- technology
- crypto
Associated malware families
1 malware family attributed to this actor across reporting.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Supply-chain campaign distributing malicious/tainted IDE plugins (VS Code extensions) across multiple extension marketplaces to compromise developer environments and potentially trojanize source code or build pipelines.
Supply-chain style abuse of developer marketplaces by repeatedly uploading malicious VS Code extensions (including re-uploads after takedown) with the apparent goal of cryptocurrency theft.
Uploaded multiple malicious VSCode/OpenVSX extensions to target developers, enabling source code exfiltration, remote JavaScript payload retrieval/execution, credential/API key theft, CoinIMP cryptominer deployment, and potential follow-on actions such as ransomware deployment, backdoor injection into projects, and using compromised developer endpoints as pivots into corporate networks.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.