tuckner
@johntuckner.me
Working on finding bad software extensions. More at: https://secureannex.com
Loving a new detection that identifies code extensions published by new and lightly used GitHub accounts.This time it instantly caught an extension impersonating JFrog which already has over 10k downloads.
January 8, 2026 at 4:57 PM
Loving a new detection that identifies code extensions published by new and lightly used GitHub accounts.This time it instantly caught an extension impersonating JFrog which already has over 10k downloads.
Not the "pulling a Rabbit out of a hat" magic trick that most want. This Firefox extension completely changes from a "Simple Label Editor" to a Rabby wallet stealer overnight.
January 5, 2026 at 7:35 PM
Not the "pulling a Rabbit out of a hat" magic trick that most want. This Firefox extension completely changes from a "Simple Label Editor" to a Rabby wallet stealer overnight.
A browser extension with over a million users is poaching the prompts of leading AI chat tools.
SimilarWeb loads obfuscated remote configuration to collect the prompts, responses and metadata of your conversations. Your private thoughts are analytics companies gain.
secureannex.com/blog/prompt-...
SimilarWeb loads obfuscated remote configuration to collect the prompts, responses and metadata of your conversations. Your private thoughts are analytics companies gain.
secureannex.com/blog/prompt-...
Prompt poaching runs rampant in extensions
Web analytics companies are using browser extensions to monetize your most private thoughts
secureannex.com
December 29, 2025 at 4:08 PM
A browser extension with over a million users is poaching the prompts of leading AI chat tools.
SimilarWeb loads obfuscated remote configuration to collect the prompts, responses and metadata of your conversations. Your private thoughts are analytics companies gain.
secureannex.com/blog/prompt-...
SimilarWeb loads obfuscated remote configuration to collect the prompts, responses and metadata of your conversations. Your private thoughts are analytics companies gain.
secureannex.com/blog/prompt-...
These code comments are an improvement from:
1. Request malware
2. Download malware
3. Make malware executable
4. Run malware
This is the extent of the extension available in the VS Marketplace. Installs a Mythic agent from the C2.
1. Request malware
2. Download malware
3. Make malware executable
4. Run malware
This is the extent of the extension available in the VS Marketplace. Installs a Mythic agent from the C2.
December 17, 2025 at 3:18 PM
These code comments are an improvement from:
1. Request malware
2. Download malware
3. Make malware executable
4. Run malware
This is the extent of the extension available in the VS Marketplace. Installs a Mythic agent from the C2.
1. Request malware
2. Download malware
3. Make malware executable
4. Run malware
This is the extent of the extension available in the VS Marketplace. Installs a Mythic agent from the C2.
Monitoring a large influx of AI slop extensions that are reposting a marginally refactored but known malicious package. The marketplace listings are packed with emojis and a couple sections of 'features'. This one made the mistake of linking to an already known piece of malware.
December 10, 2025 at 8:15 PM
Monitoring a large influx of AI slop extensions that are reposting a marginally refactored but known malicious package. The marketplace listings are packed with emojis and a couple sections of 'features'. This one made the mistake of linking to an already known piece of malware.
Welcome to Antigravity the newest most advanced agentic AI development tool by Google...
... uses Open VSX for extensions and shows malicious listings to users.
... uses Open VSX for extensions and shows malicious listings to users.
December 9, 2025 at 4:51 PM
Welcome to Antigravity the newest most advanced agentic AI development tool by Google...
... uses Open VSX for extensions and shows malicious listings to users.
... uses Open VSX for extensions and shows malicious listings to users.
Changing how an extension looks in a marketplace doesn't require new code to be pushed. Check out the magic when this "Test Extension" magically turns into a "solidity" extension after being published. Review the full lineage of a marketplace listing using the new date picker in Secure Annex.
December 5, 2025 at 3:01 PM
Changing how an extension looks in a marketplace doesn't require new code to be pushed. Check out the magic when this "Test Extension" magically turns into a "solidity" extension after being published. Review the full lineage of a marketplace listing using the new date picker in Secure Annex.
Vibed coded malicious extensions are getting out of hand!
This 'theme' downloads a malicious zip, unpacks it, and runs it silently with PowerShell.
This 'theme' downloads a malicious zip, unpacks it, and runs it silently with PowerShell.
December 5, 2025 at 12:17 AM
Vibed coded malicious extensions are getting out of hand!
This 'theme' downloads a malicious zip, unpacks it, and runs it silently with PowerShell.
This 'theme' downloads a malicious zip, unpacks it, and runs it silently with PowerShell.
16 Firefox extensions with the almost the same name, same permhash requesting the most sensitive permission combinations like <all_urls> and cookies. Something being staged?
December 2, 2025 at 4:01 PM
16 Firefox extensions with the almost the same name, same permhash requesting the most sensitive permission combinations like <all_urls> and cookies. Something being staged?
Glassworm returned in a big way during the holiday. We're tracking 23 code extensions across the VS Marketplace and Open VSX which copy popular extensions, evade filters, manipulate their download counts, and then update with sinister malware.
secureannex.com/blog/glasswo...
secureannex.com/blog/glasswo...
Glassworm stays prevalent
Glassworm attacks look to take full advantage of the holidays
secureannex.com
December 1, 2025 at 5:22 AM
Glassworm returned in a big way during the holiday. We're tracking 23 code extensions across the VS Marketplace and Open VSX which copy popular extensions, evade filters, manipulate their download counts, and then update with sinister malware.
secureannex.com/blog/glasswo...
secureannex.com/blog/glasswo...
Malware in Open VSX and available in Cursor right now
tailwind-nuxt.tailwindcss-for-react
flutcode.flutter-extension
yamlcode.yaml-vscode-extension
tailwind-nuxt.tailwindcss-for-react
flutcode.flutter-extension
yamlcode.yaml-vscode-extension
December 1, 2025 at 4:02 AM
Malware in Open VSX and available in Cursor right now
tailwind-nuxt.tailwindcss-for-react
flutcode.flutter-extension
yamlcode.yaml-vscode-extension
tailwind-nuxt.tailwindcss-for-react
flutcode.flutter-extension
yamlcode.yaml-vscode-extension
Unprecedented code extension attacks this week. All are name squatting on popular tools. Only a couple have had malware deployed, many are still staging, few have been removed from marketplaces. There may be more coming.
VS Marketplace:
iconkieftwo.icon-theme-materiall
1/3
VS Marketplace:
iconkieftwo.icon-theme-materiall
1/3
November 28, 2025 at 4:28 PM
Unprecedented code extension attacks this week. All are name squatting on popular tools. Only a couple have had malware deployed, many are still staging, few have been removed from marketplaces. There may be more coming.
VS Marketplace:
iconkieftwo.icon-theme-materiall
1/3
VS Marketplace:
iconkieftwo.icon-theme-materiall
1/3
Imagine how useful it would be if the Chrome Web Store showed you users over time. This ad blocker went from 0 to 40,000 users overnight! 🤔
November 24, 2025 at 2:38 PM
Imagine how useful it would be if the Chrome Web Store showed you users over time. This ad blocker went from 0 to 40,000 users overnight! 🤔
Going to have to reread Hacking: The Art of Exploitation, 2nd Edition by Jon Erickson in order to keep up with the advanced tactics we're starting to see in VS Code extension malware.
November 20, 2025 at 3:30 PM
Going to have to reread Hacking: The Art of Exploitation, 2nd Edition by Jon Erickson in order to keep up with the advanced tactics we're starting to see in VS Code extension malware.
Really excited to being supporting crxaminer.tech with some Secure Annex details. Looking forward to more opportunities to get more information on browser extensions out there!
November 19, 2025 at 3:15 PM
Really excited to being supporting crxaminer.tech with some Secure Annex details. Looking forward to more opportunities to get more information on browser extensions out there!
Mackenzie Jackson is raising a red flag about the risks IDE extensions present. Always on top of the top industry trends. Thanks for letting me share a bit!
m.youtube.com/watch?v=FiJ_...
m.youtube.com/watch?v=FiJ_...
- YouTube
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
www.youtube.com
November 18, 2025 at 4:44 PM
Mackenzie Jackson is raising a red flag about the risks IDE extensions present. Always on top of the top industry trends. Thanks for letting me share a bit!
m.youtube.com/watch?v=FiJ_...
m.youtube.com/watch?v=FiJ_...
The extension was approved, now what? Are you going back tomorrow to see if it changed? You know they auto update instantly right? Rolling out to Secure Annex - code change alerts.
This compares past code with additional context to understand how an extension is changing over time. Catch bad quick!
This compares past code with additional context to understand how an extension is changing over time. Catch bad quick!
November 17, 2025 at 6:30 PM
The extension was approved, now what? Are you going back tomorrow to see if it changed? You know they auto update instantly right? Rolling out to Secure Annex - code change alerts.
This compares past code with additional context to understand how an extension is changing over time. Catch bad quick!
This compares past code with additional context to understand how an extension is changing over time. Catch bad quick!
A brand new unlisted extension with 100,000 users? 41 ratings? Must be really valuable.
Nope - completely manipulated stats and it doesn't even contain real code. It exists only to collect your searches and earn Bing Rewards.
Nope - completely manipulated stats and it doesn't even contain real code. It exists only to collect your searches and earn Bing Rewards.
November 14, 2025 at 5:14 PM
A brand new unlisted extension with 100,000 users? 41 ratings? Must be really valuable.
Nope - completely manipulated stats and it doesn't even contain real code. It exists only to collect your searches and earn Bing Rewards.
Nope - completely manipulated stats and it doesn't even contain real code. It exists only to collect your searches and earn Bing Rewards.
We've found code extensions openly call themselves malware in the VS Code marketplace recently and now browser extensions posing as known malicious remote access tools to the Chrome Web Store. What gives?
November 12, 2025 at 3:41 PM
We've found code extensions openly call themselves malware in the VS Code marketplace recently and now browser extensions posing as known malicious remote access tools to the Chrome Web Store. What gives?
Attracting a lot of fans these days
November 11, 2025 at 9:45 PM
Attracting a lot of fans these days
Did you know you can manage an allowlist of MCP extensions and MCP servers (yes they're different) used by Claude desktop? If you're a Claude Enterprise customer you can configure these settings centrally and roll them out. This is separate from Claude Code though.
Are you using this feature?
Are you using this feature?
November 11, 2025 at 5:23 PM
Did you know you can manage an allowlist of MCP extensions and MCP servers (yes they're different) used by Claude desktop? If you're a Claude Enterprise customer you can configure these settings centrally and roll them out. This is separate from Claude Code though.
Are you using this feature?
Are you using this feature?
Powerful new Detections are added to Secure Annex. These are already catching subtle exploits like unicode extension names that evade other filters, manipulated download counts, and combinations of suspicious signatures in code.
November 10, 2025 at 3:30 PM
Powerful new Detections are added to Secure Annex. These are already catching subtle exploits like unicode extension names that evade other filters, manipulated download counts, and combinations of suspicious signatures in code.
Two of these Cursor extensions will compromise your device the second you hit install. Good luck!
November 9, 2025 at 5:38 PM
Two of these Cursor extensions will compromise your device the second you hit install. Good luck!
Ridiculously cool that Tines is able to connect to MCP servers now. Understand entirely what any of the browser or code extensions you use might actually be doing. Orchestrate your extension review process or check if "Hello Kitty - You Glow Girl Cute Live Wallpaper" is more than what it says.
November 7, 2025 at 4:22 PM
Ridiculously cool that Tines is able to connect to MCP servers now. Understand entirely what any of the browser or code extensions you use might actually be doing. Orchestrate your extension review process or check if "Hello Kitty - You Glow Girl Cute Live Wallpaper" is more than what it says.
Ransomware has appeared in the VS Marketplace and makes me worry. Clearly created through AI, it makes many mistakes like including decryption tools in extension. If this makes it into the marketplace through, what impact would anything more sophisticated cause?
secureannex.com/blog/ransomv...
secureannex.com/blog/ransomv...
RansomVibing appears in VS Code extensions
Vibe coded ransomware has successfully been published to the VS Code extension marketplace
secureannex.com
November 5, 2025 at 5:44 PM
Ransomware has appeared in the VS Marketplace and makes me worry. Clearly created through AI, it makes many mistakes like including decryption tools in extension. If this makes it into the marketplace through, what impact would anything more sophisticated cause?
secureannex.com/blog/ransomv...
secureannex.com/blog/ransomv...