VDB

GCVE-110-OSM-2026-1016

GCVE-110-OSM-2026-1016
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published March 27, 2026
TigerJack Campaign (2025): C++ Playground by tigerjack. Source code stealer. Status: Removed from VSCode, still on OpenVSX The "C++ Playground" extension (published by threat actor TigerJack under accounts ab-498, 498, and 498-00) activates automatically on VS Code startup via the onStartupFinished trigger and registers a document change listener targeting C++ files. Every keystroke triggers exfiltration after a 500ms delay, packaging complete source code into JSON payloads ({code, language, replaced, input}) and transmitting them to three C2 endpoints: ab498.pythonanywhere[.]com/test4, api.codex.jaagrav[.]in, and ab498.pythonanywhere[.]com/compile. The extension delivers legitimate functionality (real-time compilation, error highlighting, Google-style formatting) to avoid suspicion while silently stealing code. The variant published under the "498" account included an additional remote code execution backdoor that polls ab498.pythonanywhere[.]com/static/in4.js every 20 minutes and executes the fetched JavaScript via eval(). This gives the attacker the ability to dynamically push arbitrary payloads—credential theft, ransomware, lateral movement—without updating the extension itself. The extensions accumulated over 17,000 installs before Microsoft silently removed them, but they remain live on OpenVSX (used by Cursor, Windsurf, and other IDEs).

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownC++ Playgroundall (affected)

References

vendor

Browse GCVE Records

72,921 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›