Kickbacks.ai Security Review: VS Code Adware With a Payout Page

TL;DR: Kickbacks.ai is a VS Code extension that patches Claude Code's files, weakens its security policy, and auto-updates every 90 seconds with no signature verification. The domain is 5 weeks old. It was removed from the VS Code Marketplace. Security issues on GitHub have zero maintainer response. Three competitors offer 70% revenue share without touching your files. If your developers installed this, remove it.

#Developer tools that pay you to use them should raise questions.

A VS Code extension called Kickbacks.ai has been making the rounds on developer social media. The pitch: install it, let it show ads in Claude Code's loading spinner, collect a 50/50 revenue split. Popular tech accounts have been endorsing it. Screenshots of earnings dashboards are everywhere.

We installed it, ran it for three days, then reverse-engineered the entire bundled source code and captured the network traffic with Wireshark.

What we found is not a developer tool. It's adware with a Stripe payout page.

#What it does to the machines it runs on.

Kickbacks doesn't just display ads. It patches the files of another extension on disk. Specifically, it modifies Anthropic's Claude Code extension by appending JavaScript to the webview and relaxing the Content Security Policy to open a localhost communication channel.

Every 60 seconds, it checks whether those patches are still in place. If anything removed them, it re-applies them automatically. If the ad overlay stops responding for 5 minutes, it escalates through patch cycling, forced webview reloads, and user-facing notifications.

This is persistence behavior. It's the kind of thing endpoint detection tools flag.

Here's what it looks like when you're watching it happen:

#The self-update pipeline is unsigned. That's the real danger.

Every 90 seconds, the extension polls a remote server for a new version. If one exists, it downloads and installs it automatically. The code contains a signature verification function, but the embedded public key is an empty string. The verification never runs.

The SHA-256 hash and the download both come from the same server. If that server is ever compromised, every machine running this extension installs whatever the attacker pushes. Silently. Every 90 seconds. There is no setting to disable this.

Think about what that means. If someone compromises a single Google Cloud Storage bucket, they can push code to every developer machine running Kickbacks. That code runs inside VS Code with full access to your filesystem, your terminal, your SSH keys, your environment variables, your source code. The extension already has the permissions. The CSP is already relaxed. The auto-update pipeline is already trusted. An attacker wouldn't need to break anything new. They would just use the door Kickbacks already opened.

This is the supply chain attack pattern. Trust a vendor. Vendor gets compromised. Every customer inherits the compromise automatically.

#The legal protection is a joke.

Their Terms of Service cap their liability at $100. That's Section 15.2. If their unsigned update pipeline gets compromised and your source code gets exfiltrated, the most they owe you is a hundred dollars.

Meanwhile, Section 11.2 says you bear sole responsibility for making sure this doesn't violate Anthropic's terms. Section 16.1 says you indemnify Kickbacks against any claims from your employer or platform providers. And Section 4e of their license says you cannot disable their telemetry or security mechanisms. So protecting yourself from the unsigned update pipeline violates their terms.

They take 50% of the revenue. You take 100% of the risk. And the maximum they'll ever pay for the damage is less than your monthly coffee budget.

#The red flags keep stacking.

The domain was registered 5 weeks ago, hidden behind a WHOIS privacy proxy. There is no publicly available contact, help, about, or support page on their site.

The extension was removed from the VS Code Marketplace. Install is only possible via a direct file download that bypasses all marketplace review.

There are open security vulnerabilities on GitHub with zero maintainer response. Issue #86 demonstrates how anyone can fabricate unlimited billable impressions, directly charging advertisers for views that never happened. Issue #107 documents six more vulnerabilities including a hardcoded click token and leaked admin API docs.

The founder's GitHub bio describes the project as "AI hobbies."

The homepage claims $89,401 earned by developers on a platform that launched 12 days before our investigation.

#This incentivizes the wrong behavior.

Here's something nobody is talking about. An extension that pays developers to watch AI think creates a financial incentive to use AI more and think less. The longer Claude runs, the more ads show, the more money you make.

That means developers are incentivized to send vague prompts that take longer to process. To let the AI churn on problems they could solve faster themselves.

To run Claude on tasks where a 30-second manual fix would be more efficient than a 5-minute AI generation. To keep the spinner going as long as possible because the spinner is the revenue.

For employers, this means your developers now have a financial reason to be less efficient with your AI tool budget. Every wasted Claude cycle generates ad impressions. Every unnecessary retry earns fractions of a penny. The incentive structure is backwards. You are paying for Claude tokens so your developer can earn ad revenue by burning them.

And for the broader developer community, normalizing "get paid to watch AI work" pushes us further from the discipline that makes AI tools useful in the first place: writing clear prompts, reviewing output carefully, knowing when to use the tool and when not to.

#Why this matters for businesses.

If developers on your team installed this extension on company machines:

• A third-party tool is modifying the internals of another extension on those machines. That's a supply chain vector.
• The IDE's webview security policy has been weakened to allow new network connections.
• The extension can silently push new code to those machines every 90 seconds with no signature verification. If compromised, that means full filesystem access on every developer machine.
• There is no way to contact the company behind it. No support channel. No accountability.
• Your developers now have a financial incentive to let AI tools run longer than necessary, burning your token budget.

Security teams should be aware of this tool and consider blocking it.

#The $89,401 claim.

The Kickbacks homepage claims $89,401 earned by developers. The platform launched June 11. At their stated $1 CPM minimum, that requires 89 million billable 5-second ad views in roughly 12 days. The math does not hold up.

For context, here is what our test account earned over four days of active Claude Code usage:

$2.24 total. $1.32 on the best day. At that rate you're looking at roughly $10-15/month of earnings, assuming you code with Claude every single day. The $10 minimum payout threshold takes about three weeks to hit. Meanwhile, the platform's claimed total jumped from $89,401 to $101,926 in under 24 hours. That's $12,525 in a single day. Draw your own conclusions.

#The ad inventory is thin.

We monitored the ad rotation over several days. The portfolio includes some real companies like Ramp and Sentry alongside a mix of alpha-stage startups, a GLP-1 weight loss medication service, a bible research CLI, and earnd.dev, a direct competitor to Kickbacks. When inventory runs low, Kickbacks fills slots with its own self-promotional ads ("nasdaq_for_ads"). The homepage bid queue at the time of our review showed "No queued bids." That's not a thriving marketplace. It's a small pool of advertisers rotating through a system that's burning developer trust for fractions of a penny per impression.

#This spawned an entire category of copycats.

Kickbacks is not the only product doing this. Within 48 hours, three competitors launched:

• IdleAds: 70% revenue share. Server-side verification. No file patching.
• Idlen: 70%. Widest surface area across developer tools.
• Sponsoric: 70% via CLI/REST integration.

We are not recommending any of these. The entire concept of paying developers to watch AI think is backwards. It incentivizes waste, it normalizes ad injection into development tools, and it treats your IDE as billboard space. The fact that competitors exist doesn't validate the idea. It just means more people saw an opportunity to monetize developer attention in a space that should be focused on productivity.

#What to do.

Remove it:

• Open VS Code command palette and run Kickbacks: Restore Claude Code to revert file changes
• Uninstall the extension: code --uninstall-extension kickbacksai.kickbacks-ai

Block it org-wide:

• Add the extension ID kickbacksai.kickbacks-ai to your VS Code extension blocklist or MDM policy
• For Intune or JAMF managed devices, deploy the block at the profile level
• Monitor for outbound connections to kickbacks-backend-gmdaqm2c7q-uw.a.run.app (34.143.72.2 through 34.143.79.2)

#More products like this are coming.

As AI coding tools grow, the "get paid while the AI thinks" pitch will keep appearing. More extensions will try to turn your IDE into ad space. Some will be less invasive than Kickbacks. None of them are doing you a favor.

The questions to ask are always the same. Does it modify files it doesn't own? Does it weaken security boundaries it didn't create? Does it update itself without your knowledge? Can you actually reach the company behind it? Does it incentivize your team to waste resources?

If the answer to any of those is yes, it doesn't belong on a company machine.

For the full technical reverse engineering with code-level findings and Wireshark captures, read the original research: Kickbacks.ai Review: VS Code Adware, Reverse-Engineered by Darius J Davis.

This investigation was conducted through source code analysis, packet capture, WHOIS research, and live testing over four days. If you have questions about our findings or want help assessing tools like this in your environment, email us at hello@southsidechisolutions.com.