I Reverse-Engineered Kickbacks.ai. What Every Developer Should Know.

My take

Developers on social media were hyping Kickbacks.ai like it was free money. 'Just install it and get paid while Claude thinks.' Some big accounts were co-signing it. That's like your boy telling you a pickup game is legit when nobody even checked who owns the court. The pitch was too convenient, so I did what I do. I installed it, read every line of the bundled code, and ran Wireshark. What I found is adware in a revenue-share jersey. It patches another extension's files on disk. Relaxes the Content Security Policy. Auto-updates every 90 seconds with no signature verification. Re-patches your files every 60 seconds if you try to undo it. The domain is 5 weeks old. It got pulled from the VS Code Marketplace. Open security issues on GitHub have zero response from the maintainer. And three competitors launched within 48 hours offering 70% revenue share without touching your files. You're getting 50% of almost nothing in exchange for letting a stranger rewrite your IDE. That's not a deal. That's a trap.

Terminal

# the self-update signature verification. disabled.
# from dist/extension.js, _embeddedPubkeyPem()
$ grep -A4 '_embeddedPubkeyPem' ~/.vscode/extensions/kickbacksai.kickbacks-ai-*/dist/extension.js
function _embeddedPubkeyPem() {
  try {
    if ("".length > 0) {  // always false
      return "";
    }
  } catch {}
  return null;  // sig verification skipped
}
# capturing network traffic to their backend
$ tshark -i en0 -f 'host 34.143.73.2' -c 3 -T fields -e frame.time -e tls.handshake.extensions_server_name
Jun 23, 2026 22:37:48  kickbacks-backend-gmdaqm2c7q-uw.a.run.app
Jun 23, 2026 22:37:53  kickbacks-backend-gmdaqm2c7q-uw.a.run.app
# WHOIS. domain is 5 weeks old behind a privacy proxy
$ whois kickbacks.ai | grep -E 'Creation|Registrant'
Creation Date: 2026-05-17T20:56:48Z
Registrant Organization: Domains By Proxy, LLC

TL;DR

Kickbacks.ai patches Claude Code's files on disk, relaxes its Content Security Policy, and auto-updates itself every 90 seconds with zero signature verification. The domain is 5 weeks old, hidden behind a privacy proxy, with no contact page and no response to open security issues on GitHub. It got pulled from the VS Code Marketplace. Three competitors launched within 48 hours offering 70% revenue share without touching your files. Kickbacks gives you 50% and full liability. You are trading your IDE's integrity for pocket change from a stranger who won't even answer the door when someone reports a security bug.

It patches Claude Code's files on disk.

The extension finds Claude Code's webview at ~/.vscode/extensions/anthropic.claude-code-*/webview/index.js, backs it up, and appends its own JavaScript between /* VIBE-ADS-START */ and /* VIBE-ADS-END */ markers. That injected code slaps a fixed-position overlay on top of the spinner with a clickable ad. It also rewrites Claude Code's extension.js to relax the Content Security Policy, adding connect-src http://127.0.0.1:* http://localhost:* so the ad code can talk to a local relay server. That opens the webview sandbox to any localhost port. Not just theirs. And when you disable the extension? It keeps the CSP hole open anyway. There's a keepCsp: true flag. Disabling it doesn't undo the damage.

# check if Claude Code's webview has been patched
# path is ~/.vscode/extensions/ or ~/.cursor/extensions/ depending on your editor
$ grep 'VIBE-ADS' ~/.vscode/extensions/anthropic.claude-code-*/webview/index.js
/* VIBE-ADS-START */
/* VIBE-ADS-END */
# check if the Content Security Policy was relaxed
$ grep 'connect-src' ~/.vscode/extensions/anthropic.claude-code-*/extension.js
connect-src http://127.0.0.1:* http://localhost:*;

The self-update has no signature verification.

Every 90 seconds, the extension phones home to a Google Cloud Run endpoint asking if there's a new version. If there is, it downloads a .vsix from Google Cloud Storage, checks the SHA-256 hash, and installs it. No prompt. No confirmation. Just installs. The code has a signature verification function, but the embedded public key is an empty string. The check returns null every time. Verification never runs. It's dead code. And the hash? It comes from the same server as the file. If that server gets popped, an attacker controls both. Every developer running this extension gets whatever the attacker wants to push. Every 90 seconds. There's no setting to turn this off. I had to patch the extension code myself.

It reasserts its patches every 60 seconds.

Every 60 seconds, a setInterval checks if the file patches are still there. If Claude Code updates or anything removes the injection, it puts it right back. Automatically. There's also a desync detector. If the ad overlay hasn't checked in for 5 minutes, it escalates. First it re-patches. Then it force-reloads the webview. Then it pops a toast notification asking you to reload your window. That's not how a normal extension behaves. That's how adware behaves. And here's the kicker: their license (Section 4e) says you can't 'circumvent or disable any telemetry-integrity or security mechanism.' So if you try to stop this behavior to protect yourself, you're violating their terms. They wrote the rules so you can't opt out.

Five-week-old domain, no contact page, removed from VS Code Marketplace.

The domain kickbacks.ai was registered May 17, 2026. Five weeks before this investigation. The registrant is hidden behind Domains By Proxy on GoDaddy. There's no /contact page. No /help. No /about. No /support. All 404. No robots.txt. No sitemap. The extension got pulled from the VS Code Marketplace (GitHub issue #141 confirms it). The only way to install it now is curling a .vsix directly from their site. No marketplace review. No update controls. The SSL cert is a 3-month Google Trust Services cert. The company 'ShiftKeys, Inc.' is in the license as a Delaware entity, but the founder's GitHub bio calls this 'AI hobbies.' And their homepage claims $89,401 earned by developers. On a platform that launched 12 days before our test. At $1 CPM, that's 89 million billable 5-second ad views in under two weeks. That's like claiming you sold out the United Center for two straight weeks when you've only got 12 sponsors and one of them is selling weight loss pills.

# WHOIS shows a 5-week-old domain
$ whois kickbacks.ai | grep 'Creation Date'
Creation Date: 2026-05-17T20:56:48Z
# removed from VS Code Marketplace
$ curl -s -o /dev/null -w '%{http_code}' https://marketplace.visualstudio.com/items?itemName=Kickbacksai.kickbacks-ai
404

Open security issues with zero maintainer response.

GitHub issues #86 and #107 lay out serious security problems. Zero response from the maintainer on either one. Issue #86 shows that the billing system trusts whatever JSON the client sends. No cryptographic verification. Anyone with a refresh token can fabricate unlimited impressions for ads that never displayed. Advertisers get charged for phantom views. Issue #107 documents six more problems: a hardcoded click token ('ck') visible in the extension bundle, unencrypted loopback credentials in VS Code's global state that any local process can read, DPAPI token storage that any same-user process can decrypt, unvalidated error credits worth 7,500 micros each, client-controlled visible_ms with no server check, and leaked OpenAPI docs exposing admin endpoints. Nobody's home. The lights are on but nobody's answering the door on security.

The ad inventory is thin.

I monitored the ad rotation over several days. The portfolio includes some real companies like Ramp (corporate cards) and Sentry alongside a mix of alpha-stage startups nobody's heard of, a GLP-1 weight loss medication service called Found, and earnd.dev, which is a direct competitor to Kickbacks. When inventory runs low, they fill slots with self-promotional ads ('nasdaq_for_ads'). The homepage bid queue at the time of our review literally said 'No queued bids.' The platform has advertisers, but the inventory is thin and the fill rate is low. You're watching weight loss ads and competitor promos in your code editor for $0.48 a day. That's like sitting courtside at a game where half the sponsors are lemonade stands and the other half are advertising for a different arena.

Competitors already offer better deals without the risk.

Within 48 hours of Kickbacks launching, three competitors showed up. IdleAds.dev: 70% revenue share, server-side impression verification, no file patching. Idlen.io: 70%, widest surface area, browser extensions included. Sponsoric: 70% via CLI/MCP/REST, you embed it in your own app instead of letting someone else rewrite yours. Every single alternative pays more and doesn't touch your files. Kickbacks created an entire category and immediately became the worst option in it. That's like opening a restaurant and watching three better ones open on the same block the next day. Except those restaurants don't break into your kitchen and rearrange your appliances.

What to do if you have it installed.

Honestly? Just uninstall it. Run 'Kickbacks: Restore Claude Code' from the command palette to undo the file changes, then remove the extension. If you want ad revenue from your IDE, switch to IdleAds or Sponsoric. Better cut, no file patching, server-side verification. If for some reason you want to keep Kickbacks running, at minimum patch out the self-update (comment out the setInterval in setupSelfUpdate) or crank updatePollIntervalMs to something absurd in ~/.vibe-ads/config.json. And read their Terms of Service. Section 11.2 says YOU are responsible if Anthropic has a problem with it. Section 16.1 says you indemnify Kickbacks against claims from your employer. Their liability is capped at $100. They take 50% of the money and 0% of the risk. You take the rest.

# restore Claude Code's original files
$ # VS Code Command Palette: 'Kickbacks: Restore Claude Code'
# or uninstall completely
$ code --uninstall-extension kickbacksai.kickbacks-ai
Extension 'kickbacksai.kickbacks-ai' was successfully uninstalled.