Malicious AI extensions on VSCode Marketplace steal developer data

News

Featured
Latest

Curl ending bug bounty program after flood of AI slop reports

INC ransomware opsec fail allowed data recovery for 12 US orgs

Cisco fixes Unified Communications RCE zero day exploited in attacks

Hackers exploit 29 zero-days on second day of Pwn2Own Automotive

Malicious AI extensions on VSCode Marketplace steal developer data

CISA confirms active exploitation of four enterprise software bugs

US to deport Venezuelans who emptied bank ATMs using malware

Hackers exploit critical telnetd auth bypass flaw to get root

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityMalicious AI extensions on VSCode Marketplace steal developer data

Malicious AI extensions on VSCode Marketplace steal developer data

By Bill Toulas

January 23, 2026
03:11 PM
0

Two malicious extensions in Microsoft’s Visual Studio Code (VSCode) Marketplace that were collectively installed 1.5 million times exfiltrate developer data to China-based servers.
Both extensions are advertised as AI-based coding assistants that provide the promised functionality. However, they do not disclose the upload activity or ask users for consent to deliver data to a remote server.
The VS Code Marketplace is the official store for add-ons for Microsoft’s popular code editor. VS Code extensions are installable plugins from the marketplace that add features or integrate tools into the editor. One of the most popular add-on categories right now is AI-powered coding assistants.

Researchers at endpoint and supply-chain security company Koi say that the two malicious extensions are part of a campaign they dubbed 'MaliciousCorgi' and share the same code for stealing developer data.
Additionally, both of them use the same spyware infrastructure and communicate with the same backend servers. At publishing time, both are present on the marketplace:
ChatGPT – 中文版 (publisher: WhenSunset, 1.34 million installs)
ChatMoss (CodeMoss) (publisher: zhukunpeng, 150k installs)

Malicious extension on the VSCode marketplaceSource: BleepingComputer
The extensions use three distinct data-collection mechanisms. The first involves real-time monitoring of files opened in the VS Code client. When a file is accessed, its entire contents are encoded in Base64 and transmitted to the attackers’ servers.
Any changes to the opened file are also captured and exfiltrated.

Function that performs the file theftSource: Koi Security
"The moment you open any file – not interact with it, just open it – the extension reads its entire contents, encodes it as Base64, and sends it to a webview containing a hidden tracking iframe. Not 20 lines. The entire file,"  Koi researchers say.
The second mechanism involves a server-controlled file-harvesting command that stealthily transmits up to 50 files from the victim’s workspace each time.

Exfiltrating up to 50 files from the workspaceSource: Koi Security
The third mechanism uses a zero-pixel iframe in the extension’s webview to load four commercial analytics SDKs: Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics.
These SDKs are used to track user behavior, build identity profiles, fingerprint devices, and monitor activity inside the editor. So, while the first two collect developer work files, the third focuses on user profiling.
Koi Security highlights the risks posed by undocumented functionality in these extensions, including the exposure of private source code, configuration files, cloud service credentials, and .env files containing API keys and credentials.
BleepingComputer has contacted Microsoft about the presence of the two extensions on the VSCode market, but we are still waiting for a reply. We were unable to establish a communication channel with the publisher of the extensions.

Secrets Security Cheat Sheet: From Sprawl to Control
Whether you're cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start.
Get the cheat sheet and take the guesswork out of secrets management.
Download Now

Related Articles:
Microsoft Copilot Studio extension for VS Code now publicly availableVSCode IDE forks expose users to "recommended extension" attacksMicrosoft updates Notepad and Paint with more AI featuresMicrosoft Copilot is rolling out GPT 5.2 as "Smart Plus" modeMalicious VSCode Marketplace extensions hid trojan in fake PNG file

AI
Artificial Intelligence
Coding
Extensions
Microsoft
VS Code
VSCode

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article

Post a Comment Community Rules

You need to login in order to post a comment
Not a member yet? Register Now

You may also like:

Popular Stories

Fortinet admins report patched FortiGate firewalls getting hacked

Hackers breach Fortinet FortiGate devices, steal firewall configs

Zendesk ticket systems hijacked in massive global spam wave

Sponsor Posts

Overdue a password health-check? Audit your Active Directory for free

Discover how phishing kits are sold and deployed. Download the full research report.

Exposure Management Index: Insights From 3,000+ Teams. Get The Report.

Identity Governance & Threat Detection in one: Get a guided tour of our platform

  Upcoming Webinar

Follow us:

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure

Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

The proliferation of malicious AI extensions within the Visual Studio Code (VSCode) Marketplace represents a significant and concerning security vulnerability. Koi Security researchers discovered two extensions, “ChatGPT – 中文版” and “ChatMoss (CodeMoss),” that amassed a combined 1.5 million installations and were covertly exfiltrating developer data to China-based servers. These extensions, deceptively advertised as AI-powered coding assistants, employed a sophisticated three-pronged data collection strategy. Firstly, they engaged in real-time monitoring of all files opened within the VSCode client, encoding the entire contents into Base64 and transmitting them to the attackers’ servers. Secondly, they utilized a server-controlled command to harvest up to 50 files from the developer’s workspace with each transmission. Thirdly, they integrated four commercial analytics SDKs – Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics – to build user identity profiles, track behavior, and fingerprint devices. The potential consequences of this activity include exposure of sensitive source code, configurations, cloud service credentials, and API keys. The widespread availability of these extensions within the popular VSCode Marketplace underscores the need for heightened vigilance and security practices among developers. Koi Security’s investigation highlighted the critical importance of scrutinizing the functionality of third-party extensions, particularly those with vague descriptions and undisclosed data collection activities. As of the report’s publication, Microsoft had not responded to BleepingComputer’s inquiry regarding the presence of these malicious extensions in the Marketplace, further amplifying concerns about the platform’s security oversight. The incident serves as a stark reminder of the evolving threat landscape and the potential for seemingly benign tools to be exploited for malicious purposes. This highlights the demand for enhanced security practices by developers, including careful evaluation of extensions and diligent protection of sensitive information. The use of Base64 encoding and integration with commercial analytics SDKs significantly increased the attack surface and facilitated detailed profiling of developers. The lack of communication from the extension publishers adds to this concern. Overall, the “MaliciousCorgi” campaign represents a dangerous trend in the expansion of AI-powered tools and the need for greater security controls within the VSCode ecosystem. The report stresses critical vulnerabilities of third-party supply chain components, where developers can be inadvertently exposed to sophisticated data extraction techniques, highlighting the need for increased security awareness and comprehensive due diligence processes.