tuckner
@johntuckner.me
Working on finding bad software extensions. More at: https://secureannex.com
We've found code extensions openly call themselves malware in the VS Code marketplace recently and now browser extensions posing as known malicious remote access tools to the Chrome Web Store. What gives?
November 12, 2025 at 3:41 PM
We've found code extensions openly call themselves malware in the VS Code marketplace recently and now browser extensions posing as known malicious remote access tools to the Chrome Web Store. What gives?
Attracting a lot of fans these days
November 11, 2025 at 9:45 PM
Attracting a lot of fans these days
Did you know you can manage an allowlist of MCP extensions and MCP servers (yes they're different) used by Claude desktop? If you're a Claude Enterprise customer you can configure these settings centrally and roll them out. This is separate from Claude Code though.
Are you using this feature?
Are you using this feature?
November 11, 2025 at 5:23 PM
Did you know you can manage an allowlist of MCP extensions and MCP servers (yes they're different) used by Claude desktop? If you're a Claude Enterprise customer you can configure these settings centrally and roll them out. This is separate from Claude Code though.
Are you using this feature?
Are you using this feature?
Powerful new Detections are added to Secure Annex. These are already catching subtle exploits like unicode extension names that evade other filters, manipulated download counts, and combinations of suspicious signatures in code.
November 10, 2025 at 3:30 PM
Powerful new Detections are added to Secure Annex. These are already catching subtle exploits like unicode extension names that evade other filters, manipulated download counts, and combinations of suspicious signatures in code.
Two of these Cursor extensions will compromise your device the second you hit install. Good luck!
November 9, 2025 at 5:38 PM
Two of these Cursor extensions will compromise your device the second you hit install. Good luck!
Ridiculously cool that Tines is able to connect to MCP servers now. Understand entirely what any of the browser or code extensions you use might actually be doing. Orchestrate your extension review process or check if "Hello Kitty - You Glow Girl Cute Live Wallpaper" is more than what it says.
November 7, 2025 at 4:22 PM
Ridiculously cool that Tines is able to connect to MCP servers now. Understand entirely what any of the browser or code extensions you use might actually be doing. Orchestrate your extension review process or check if "Hello Kitty - You Glow Girl Cute Live Wallpaper" is more than what it says.
Ransomware has appeared in the VS Marketplace and makes me worry. Clearly created through AI, it makes many mistakes like including decryption tools in extension. If this makes it into the marketplace through, what impact would anything more sophisticated cause?
secureannex.com/blog/ransomv...
secureannex.com/blog/ransomv...
RansomVibing appears in VS Code extensions
Vibe coded ransomware has successfully been published to the VS Code extension marketplace
secureannex.com
November 5, 2025 at 5:44 PM
Ransomware has appeared in the VS Marketplace and makes me worry. Clearly created through AI, it makes many mistakes like including decryption tools in extension. If this makes it into the marketplace through, what impact would anything more sophisticated cause?
secureannex.com/blog/ransomv...
secureannex.com/blog/ransomv...
Reposted by tuckner
-Couple loses fortune to scammers
-Valid accounts still rule the day for initial access
-Open VSX rotate leaked creds
-ZeroAccess botnet dev is now a software dev
-BadCandy flourishes in Australia
-New Katreus miner
-Malware reports on Aura Stealer, SectopRAT, SleepyDuck RAT, OysterLoader
-Valid accounts still rule the day for initial access
-Open VSX rotate leaked creds
-ZeroAccess botnet dev is now a software dev
-BadCandy flourishes in Australia
-New Katreus miner
-Malware reports on Aura Stealer, SectopRAT, SleepyDuck RAT, OysterLoader
November 3, 2025 at 9:32 AM
-Couple loses fortune to scammers
-Valid accounts still rule the day for initial access
-Open VSX rotate leaked creds
-ZeroAccess botnet dev is now a software dev
-BadCandy flourishes in Australia
-New Katreus miner
-Malware reports on Aura Stealer, SectopRAT, SleepyDuck RAT, OysterLoader
-Valid accounts still rule the day for initial access
-Open VSX rotate leaked creds
-ZeroAccess botnet dev is now a software dev
-BadCandy flourishes in Australia
-New Katreus miner
-Malware reports on Aura Stealer, SectopRAT, SleepyDuck RAT, OysterLoader
From North Korean tradecraft to being used in Cursor extensions in two weeks. Etherhiding is a technique where malware can use Ethereum contracts as a resilient C2 channel detailed by Google Oct 15th. It is now appearing in code extensions with the first sighting November 1st.
November 3, 2025 at 4:34 PM
From North Korean tradecraft to being used in Cursor extensions in two weeks. Etherhiding is a technique where malware can use Ethereum contracts as a resilient C2 channel detailed by Google Oct 15th. It is now appearing in code extensions with the first sighting November 1st.
From North Korean tradecraft to being used in Cursor extensions in two weeks. Etherhiding is a technique where malware can use Ethereum contracts as a resilient C2 channel detailed by Google Oct 15th. It is now appearing in code extensions with the first sighting November 1st.
November 3, 2025 at 4:31 PM
From North Korean tradecraft to being used in Cursor extensions in two weeks. Etherhiding is a technique where malware can use Ethereum contracts as a resilient C2 channel detailed by Google Oct 15th. It is now appearing in code extensions with the first sighting November 1st.
The SleepyDuck code extension malware is an advanced remote access trojan allowing for remote command execution on any endpoint that installs it. Take down the C2 server? It uses an Ethereum contract to update its settings to a new endpoint.
secureannex.com/blog/sleepyd...
secureannex.com/blog/sleepyd...
SleepyDuck malware invades Cursor through Open VSX
The advanced SleepyDuck IDE extension RAT uses Ethereum contracts for persistence.
secureannex.com
November 2, 2025 at 4:58 AM
The SleepyDuck code extension malware is an advanced remote access trojan allowing for remote command execution on any endpoint that installs it. Take down the C2 server? It uses an Ethereum contract to update its settings to a new endpoint.
secureannex.com/blog/sleepyd...
secureannex.com/blog/sleepyd...
If you thought you were ahead by using Windsurf... nope!
Check out the @secureannex.com extension to protect yourself from malicious extensions right now.
open-vsx.org/extension/se...
Check out the @secureannex.com extension to protect yourself from malicious extensions right now.
open-vsx.org/extension/se...
October 31, 2025 at 5:23 PM
If you thought you were ahead by using Windsurf... nope!
Check out the @secureannex.com extension to protect yourself from malicious extensions right now.
open-vsx.org/extension/se...
Check out the @secureannex.com extension to protect yourself from malicious extensions right now.
open-vsx.org/extension/se...
Today's edition of pick the right solidity in Cursor. Yes - this IS different than yesterday
October 31, 2025 at 4:37 PM
Today's edition of pick the right solidity in Cursor. Yes - this IS different than yesterday
Three malicious solidity extensions were published to Open VSX today.
Would you be able to tell which is the real one in Cursor?
This repeated behavior has been going on since June and anyone can detect it by just matching against 'solidity'. When will progress be made?
Would you be able to tell which is the real one in Cursor?
This repeated behavior has been going on since June and anyone can detect it by just matching against 'solidity'. When will progress be made?
October 31, 2025 at 1:42 AM
Three malicious solidity extensions were published to Open VSX today.
Would you be able to tell which is the real one in Cursor?
This repeated behavior has been going on since June and anyone can detect it by just matching against 'solidity'. When will progress be made?
Would you be able to tell which is the real one in Cursor?
This repeated behavior has been going on since June and anyone can detect it by just matching against 'solidity'. When will progress be made?
Most of us just want a Pikachu sprite dancing on our code, but threat actors want to spoil the fun. Yesterday five malicious VS Code extensions were published, one a Pokemon theme and syntax highlighter, but instead disable Windows Defender and installs a cryptominer
secureannex.com/blog/pokemon...
secureannex.com/blog/pokemon...
October 30, 2025 at 6:32 PM
Most of us just want a Pikachu sprite dancing on our code, but threat actors want to spoil the fun. Yesterday five malicious VS Code extensions were published, one a Pokemon theme and syntax highlighter, but instead disable Windows Defender and installs a cryptominer
secureannex.com/blog/pokemon...
secureannex.com/blog/pokemon...
My first response from VS Marketplace support is requesting supporting additional evidence I have that this listing is malware.
If anyone can publish an extension with admittedly malicious intent with no response, what does that do for the health of the marketplace?
If anyone can publish an extension with admittedly malicious intent with no response, what does that do for the health of the marketplace?
October 27, 2025 at 1:18 PM
My first response from VS Marketplace support is requesting supporting additional evidence I have that this listing is malware.
If anyone can publish an extension with admittedly malicious intent with no response, what does that do for the health of the marketplace?
If anyone can publish an extension with admittedly malicious intent with no response, what does that do for the health of the marketplace?
The "test malware" made it's way into the VS Marketplace easily
October 24, 2025 at 10:24 PM
The "test malware" made it's way into the VS Marketplace easily
New docs available for Secure Annex! A bunch of new integration and setup guides to integrate with your environment.
docs.secureannex.com
docs.secureannex.com
October 16, 2025 at 4:07 PM
New docs available for Secure Annex! A bunch of new integration and setup guides to integrate with your environment.
docs.secureannex.com
docs.secureannex.com
Dangerous namesquat for Tailwind just published to Open VSX currently. Caught less than an hour after publishing. Tagged and blocked in Secure Annex.
October 15, 2025 at 6:28 PM
Dangerous namesquat for Tailwind just published to Open VSX currently. Caught less than an hour after publishing. Tagged and blocked in Secure Annex.
Reposted by tuckner
New, by me at this.weekinsecurity.com: If you're not using ad blockers, you should be!
In this deep-dive blog, I explain why ad blockers are critical for your online security and privacy, what threats ad blockers can help defend against, and we'll explore at some of the best ad blockers out there.
In this deep-dive blog, I explain why ad blockers are critical for your online security and privacy, what threats ad blockers can help defend against, and we'll explore at some of the best ad blockers out there.
Why ad blockers are a top security and privacy defense for everyone
Ad blockers can help defend against some of the top hacks, scams, and surveillance today. Here are some of the best ad blockers that you can use.
this.weekinsecurity.com
October 14, 2025 at 12:13 PM
New, by me at this.weekinsecurity.com: If you're not using ad blockers, you should be!
In this deep-dive blog, I explain why ad blockers are critical for your online security and privacy, what threats ad blockers can help defend against, and we'll explore at some of the best ad blockers out there.
In this deep-dive blog, I explain why ad blockers are critical for your online security and privacy, what threats ad blockers can help defend against, and we'll explore at some of the best ad blockers out there.
Interesting piece of protestware in the browser extension space. Injects a script that autoplays the Ukrainian national anthem on '.ru' domains.
October 10, 2025 at 3:19 PM
Interesting piece of protestware in the browser extension space. Injects a script that autoplays the Ukrainian national anthem on '.ru' domains.
Secure Annex now has a code editor extension to help manage other extensions. One installation will protect VS Code, Cursor, and Windsurf. Any extension known to be malicious/suspicious will be uninstalled immediately from your editors. Get in touch if you're interested!
October 8, 2025 at 7:59 PM
Secure Annex now has a code editor extension to help manage other extensions. One installation will protect VS Code, Cursor, and Windsurf. Any extension known to be malicious/suspicious will be uninstalled immediately from your editors. Get in touch if you're interested!
Running statistics comparing when a browser extension is reported malicious/suspicious compared to when it is removed from the Chrome Web Store. Here is the breakdown:
Still active: 68.8%
91-365 days: 19.1%
31-90 days: 5.8%
Same day or 1 day: 2.9%
8-30 days: 2.3%
2-7 days: 1.2%
Still active: 68.8%
91-365 days: 19.1%
31-90 days: 5.8%
Same day or 1 day: 2.9%
8-30 days: 2.3%
2-7 days: 1.2%
October 7, 2025 at 6:55 PM
Running statistics comparing when a browser extension is reported malicious/suspicious compared to when it is removed from the Chrome Web Store. Here is the breakdown:
Still active: 68.8%
91-365 days: 19.1%
31-90 days: 5.8%
Same day or 1 day: 2.9%
8-30 days: 2.3%
2-7 days: 1.2%
Still active: 68.8%
91-365 days: 19.1%
31-90 days: 5.8%
Same day or 1 day: 2.9%
8-30 days: 2.3%
2-7 days: 1.2%