VDB

GCVE-110-OSM-2026-1017

GCVE-110-OSM-2026-1017
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published March 27, 2026
TigerJack Campaign (2025): HTTP Format by tigerjack. CoinIMP cryptominer. Status: Removed from VSCode, still on OpenVSX The "HTTP Format" extension (published under ab-498, 498, and 498-00 accounts) masquerades as a lightweight HTTP file formatter that actually delivers its promised functionality—pressing Ctrl+Shift+F formats HTTP/REST API requests. However, the extension covertly deploys a cryptocurrency mining operation using the CoinIMP service. Hardcoded credentials embedded in the obfuscated code include Site Key 53415facb13dccbdf8523b5eefd45d01f6b16bf984cd8cf39ac04150266a4cd9, API Key a8cf5c9291594c471bb786dcadeb9845bc3cc26a17ec52ec632a9bb7844e5b87, and username mainuser. The malware communicates with coinimp[.]com endpoints including /api/v2/user/balance, /api/v2/user/list, and /api/v2/user/withdraw to monitor mining progress, manage compromised systems, and withdraw mined cryptocurrency to TigerJack's wallets. The variant published under the "498" account (498.httpformat) included the same remote code execution backdoor found in other TigerJack extensions, polling ab498.pythonanywhere[.]com/static/in4.js every 20 minutes and executing fetched JavaScript via eval(). This transforms infected machines from passive cryptominers into fully controllable nodes capable of receiving arbitrary payloads on demand. The extension was part of the 17,000+ downloads across TigerJack's operation before Microsoft's silent removal, and like its companion malware, it remains fully operational on the OpenVSX marketplace.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownHTTP Formatall (affected)

References

vendor

Browse GCVE Records

72,921 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›