← Back to blog
supply chainadwaredeveloper toolsVS CodeAI securityreverse engineeringClaude Code

Kickbacks.ai Security Review: VS Code Adware With a Payout Page

Kickbacks.ai security review and reverse engineering. This VS Code extension patches files, runs unsigned updates, and acts as adware. What businesses should know.

Darius J Davis · June 28, 2026

Last updated: June 29, 2026

TL;DR: Kickbacks.ai is a VS Code extension that patches Claude Code's files, weakens its security policy, and auto-updates every 90 seconds with no signature verification. The domain is 5 weeks old. It was removed from the VS Code Marketplace. Security issues on GitHub have zero maintainer response. Three competitors offer 70% revenue share without touching your files. If your developers installed this, remove it.

#Developer tools that pay you to use them should raise questions.

A VS Code extension called Kickbacks.ai has been making the rounds on developer social media. The pitch: install it, let it show ads in Claude Code's loading spinner, collect a 50/50 revenue split. Popular tech accounts have been endorsing it. Screenshots of earnings dashboards are everywhere.

We installed it, ran it for three days, then reverse-engineered the entire bundled source code and captured the network traffic with Wireshark.

What we found is not a developer tool. It's adware with a Stripe payout page.

~/security/kickbacks-audit · reverse engineering

#What it does to the machines it runs on.

Kickbacks doesn't just display ads. It patches the files of another extension on disk. Specifically, it modifies Anthropic's Claude Code extension by appending JavaScript to the webview and relaxing the Content Security Policy to open a localhost communication channel.

Every 60 seconds, it checks whether those patches are still in place. If anything removed them, it re-applies them automatically. If the ad overlay stops responding for 5 minutes, it escalates through patch cycling, forced webview reloads, and user-facing notifications.

This is persistence behavior. It's the kind of thing endpoint detection tools flag.

Here's what it looks like when you're watching it happen:

~/security/kickbacks-audit · monitoring persistence + self-update

#The self-update pipeline is unsigned. That's the real danger.

Every 90 seconds, the extension polls a remote server for a new version. If one exists, it downloads and installs it automatically. The code contains a signature verification function, but the embedded public key is an empty string. The verification never runs.

The SHA-256 hash and the download both come from the same server. If that server is ever compromised, every machine running this extension installs whatever the attacker pushes. Silently. Every 90 seconds. There is no setting to disable this.

Think about what that means. If someone compromises a single Google Cloud Storage bucket, they can push code to every developer machine running Kickbacks. That code runs inside VS Code with full access to your filesystem, your terminal, your SSH keys, your environment variables, your source code. The extension already has the permissions. The CSP is already relaxed. The auto-update pipeline is already trusted. An attacker wouldn't need to break anything new. They would just use the door Kickbacks already opened.

This is the supply chain attack pattern. Trust a vendor. Vendor gets compromised. Every customer inherits the compromise automatically.

Their Terms of Service cap their liability at $100. That's Section 15.2. If their unsigned update pipeline gets compromised and your source code gets exfiltrated, the most they owe you is a hundred dollars.

Meanwhile, Section 11.2 says you bear sole responsibility for making sure this doesn't violate Anthropic's terms. Section 16.1 says you indemnify Kickbacks against any claims from your employer or platform providers. And Section 4e of their license says you cannot disable their telemetry or security mechanisms. So protecting yourself from the unsigned update pipeline violates their terms.

They take 50% of the revenue. You take 100% of the risk. And the maximum they'll ever pay for the damage is less than your monthly coffee budget.

#The red flags keep stacking.

The domain was registered 5 weeks ago, hidden behind a WHOIS privacy proxy. There is still no /contact, /help, /about, or /support page on their site. All four return 404.

The extension is still removed from the VS Code Marketplace. The marketplace listing still returns 404. Install is only possible via a direct file download that bypasses all marketplace review.

There are open security vulnerabilities on GitHub with zero maintainer response after more than two weeks. Issue #86 demonstrates how anyone can fabricate unlimited billable impressions, directly charging advertisers for views that never happened. Issue #107 documents six more vulnerabilities including a hardcoded click token and leaked admin API docs. Both issues still have zero comments. Zero acknowledgment.

The public repo has had no commits since June 12. That is nearly three weeks of silence on a product that is running unsigned auto-updates on developer machines.

The founder's GitHub bio describes the project as "AI hobbies."

The extension has stability problems. Our test extension got signed out, hit the kill switch multiple times, and stopped logging after June 25. Issue #143 on GitHub confirms "Constant Logouts" reported by other users. A third-party comparison on DEV.to flags Kickbacks for "patching Claude Code's rendering layer" as a specific risk.

#This incentivizes the wrong behavior.

Here's something nobody is talking about. An extension that pays developers to watch AI think creates a financial incentive to use AI more and think less. The longer Claude runs, the more ads show, the more money you make.

That means developers are incentivized to send vague prompts that take longer to process. To let the AI churn on problems they could solve faster themselves.

To run Claude on tasks where a 30-second manual fix would be more efficient than a 5-minute AI generation. To keep the spinner going as long as possible because the spinner is the revenue.

For employers, this means your developers now have a financial reason to be less efficient with your AI tool budget. Every wasted Claude cycle generates ad impressions. Every unnecessary retry earns fractions of a penny. The incentive structure is backwards. You are paying for Claude tokens so your developer can earn ad revenue by burning them.

And for the broader developer community, normalizing "get paid to watch AI work" pushes us further from the discipline that makes AI tools useful in the first place: writing clear prompts, reviewing output carefully, knowing when to use the tool and when not to.

#Why this matters for businesses.

If developers on your team installed this extension on company machines:

  • A third-party tool is modifying the internals of another extension on those machines. That's a supply chain vector.
  • The IDE's webview security policy has been weakened to allow new network connections.
  • The extension can silently push new code to those machines every 90 seconds with no signature verification. If compromised, that means full filesystem access on every developer machine.
  • There is no way to contact the company behind it. No support channel. No accountability.
  • Your developers now have a financial incentive to let AI tools run longer than necessary, burning your token budget.

Security teams should be aware of this tool and consider blocking it.

#The $109,189 claim.

Their own API now reports $109,189 total earned across 18,665 registered developers. That works out to $5.85 per developer. Total. Ever. Not per day, not per month. That is the lifetime average across the entire platform.

The platform launched June 11. At their stated $1 CPM minimum, $109,189 requires over 109 million billable 5-second ad views in under three weeks. During our original investigation, the claimed total jumped from $89,401 to $101,926 in under 24 hours, a $12,525 single-day spike.

For context, here is what our test account earned over four days of active Claude Code usage:

Kickbacks.ai earnings dashboard showing $2.24 lifetime earnings
Kickbacks.ai earnings dashboard showing $2.24 lifetime earnings

$2.24 total. $1.32 on the best day. At that rate you're looking at roughly $10-15/month of earnings, assuming you code with Claude every single day. The $10 minimum payout threshold takes about three weeks to hit. The API numbers confirm what our testing showed: this is not meaningful income for anyone.

#The ad inventory is thin. They're celebrating volume anyway.

Kickbacks is now claiming 100 million ads served and gave away $1,000 to the developer and $1,000 to the advertiser responsible for the 100 millionth impression. That is a marketing stunt, not a sign of health. One hundred million impressions across 18,665 developers, and the total payout is $109,189. That is $1.09 per thousand impressions, the CPM floor. The advertisers are not bidding this up.

We monitored the ad rotation over several days. The portfolio includes some real companies like Ramp and Sentry alongside a mix of alpha-stage startups, a GLP-1 weight loss medication service, a bible research CLI, and earnd.dev, a direct competitor to Kickbacks. When inventory runs low, Kickbacks fills slots with its own self-promotional ads ("nasdaq_for_ads"). The homepage bid queue at the time of our review showed "No queued bids." That's not a thriving marketplace. It's a small pool of advertisers rotating through a system that's burning developer trust for fractions of a penny per impression.

#This spawned an entire category of copycats.

Kickbacks is not the only product doing this. Within 48 hours, three competitors launched:

  • IdleAds: 70% revenue share. Server-side verification. No file patching.
  • Idlen: 70%. Widest surface area across developer tools.
  • Sponsoric: 70% via CLI/REST integration.

We are not recommending any of these. The entire concept of paying developers to watch AI think is backwards. It incentivizes waste, it normalizes ad injection into development tools, and it treats your IDE as billboard space. The fact that competitors exist doesn't validate the idea. It just means more people saw an opportunity to monetize developer attention in a space that should be focused on productivity.

#What to do.

Remove it:

  • Open VS Code command palette and run Kickbacks: Restore Claude Code to revert file changes
  • Uninstall the extension: code --uninstall-extension kickbacksai.kickbacks-ai

Block it org-wide:

  • Add the extension ID kickbacksai.kickbacks-ai to your VS Code extension blocklist or MDM policy
  • For Intune or JAMF managed devices, deploy the block at the profile level
  • Monitor for outbound connections to kickbacks-backend-gmdaqm2c7q-uw.a.run.app (34.143.72.2 through 34.143.79.2)

#More products like this are coming.

As AI coding tools grow, the "get paid while the AI thinks" pitch will keep appearing. More extensions will try to turn your IDE into ad space. Some will be less invasive than Kickbacks. None of them are doing you a favor.

The questions to ask are always the same. Does it modify files it doesn't own? Does it weaken security boundaries it didn't create? Does it update itself without your knowledge? Can you actually reach the company behind it? Does it incentivize your team to waste resources?

If the answer to any of those is yes, it doesn't belong on a company machine.

#Update: June 29, 2026

The marketplace relaunch. After being removed from the VS Code Marketplace, Kickbacks relaunched under a new publisher name and extension ID. The original listing (Kickbacksai.kickbacks-ai) is still gone. The new listing is kickbacks.kickbacks-dev under the publisher name "Kickbacks" with a new domain at kickbacks.dev. Same extension. Same code. Build date June 25, 2026. 4,540 installs so far. 1.5 star rating. They also bumped the revenue share from 50% to 70%, matching the competitors who launched against them. Getting removed from the marketplace, rebranding, and coming back under a different name is not how legitimate software operates.

Their own API confirms the economics are bad. Their /api/earned-total endpoint reports $109,189 total earned across 18,665 registered developers. That is $5.85 per developer. Lifetime. Not per day. Most of those developers will never reach the $10 minimum payout threshold. They cannot get paid.

Three independent security analyses, zero response. Our investigation, a separate r/aisecurity post by an independent researcher, and GitHub issue #104 (an 18-hour audit documenting 11 vulnerabilities) all found the same unsigned self-update with the dead pubkey. Issue #104 estimates a single bot could generate $400/day in fraudulent advertiser charges. Issues #86, #104, and #107 remain unanswered after two or more weeks.

The independent r/aisecurity researcher ranked the tools. "idledev, clean, barely touches anything. adspin, clean, well built. kickbacks, the worst by a mile." Their words, not ours.

No code updates in three weeks. The public repo has had zero commits since June 12. No bug fixes. No security patches. Meanwhile 18,665 developers are running this code.

Extension stability issues confirmed. Our test extension stopped working after June 25. Auth failures, kill switch cycling, then silence. GitHub issue #143 confirms other users experience "constant logouts" 3-4 times per day.

Updated recommendation: If you had the old Kickbacksai.kickbacks-ai extension, the removal instructions in this article still apply. If someone installed the new kickbacks.kickbacks-dev version, the same concerns apply. Same code, different name. Remove it: code --uninstall-extension kickbacks.kickbacks-dev

For the full technical reverse engineering with code-level findings and Wireshark captures, read the original research: Kickbacks.ai Review: VS Code Adware, Reverse-Engineered by Darius J Davis.

This investigation was conducted through source code analysis, packet capture, WHOIS research, and live testing over four days. If you have questions about our findings or want help assessing tools like this in your environment, email us at hello@southsidechisolutions.com.

Ready to secure your business?

Free 30-minute consultation. No sales script.

Call (773) 417-9994