VDB
GCVE-110-OSM-2026-1016
GCVE-110-OSM-2026-1016
Advisory PublishedCVSS 8.8/10
TigerJack Campaign (2025): C++ Playground by tigerjack. Source code stealer. Status: Removed from VSCode, still on OpenVSX
The "C++ Playground" extension (published by threat actor TigerJack under accounts ab-498, 498, and 498-00) activates automatically on VS Code startup via the onStartupFinished trigger and registers a document change listener targeting C++ files. Every keystroke triggers exfiltration after a 500ms delay, packaging complete source code into JSON payloads ({code, language, replaced, input}) and transmitting them to three C2 endpoints: ab498.pythonanywhere[.]com/test4, api.codex.jaagrav[.]in, and ab498.pythonanywhere[.]com/compile. The extension delivers legitimate functionality (real-time compilation, error highlighting, Google-style formatting) to avoid suspicion while silently stealing code.
The variant published under the "498" account included an additional remote code execution backdoor that polls ab498.pythonanywhere[.]com/static/in4.js every 20 minutes and executes the fetched JavaScript via eval(). This gives the attacker the ability to dynamically push arbitrary payloads—credential theft, ransomware, lateral movement—without updating the extension itself. The extensions accumulated over 17,000 installs before Microsoft silently removed them, but they remain live on OpenVSX (used by Cursor, Windsurf, and other IDEs).
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | C++ Playground | all (affected) | — |
Browse GCVE Records
72,921 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.