Malicious VS Code Extensions With 1.5 Million Installs Steal Developer Source Code

Malicious VS Code AI Extensions with 1.5 Million Installs Steal Developer Source Code

Cybersecurity researchers have discovered two malicious Microsoft Visual Studio Code (VS Code) extensions that are advertised as artificial intelligence (AI)-powered coding assistants, but also harbor covert functionality to siphon developer data to China-based servers. The extensions, which have 1.5 million combined installs and are still available for download from the official Visual Studio Marketplace, are listed below - * ChatGPT - 中文版 (ID: whensunset.chatgpt-china) - 1,340,869 installs * ChatGPT - ChatMoss（CodeMoss）(ID: zhukunpeng.chat-moss) - 151,751 installs Koi Security said the extensions are functional and work as expected, but they also capture every file being opened and every source code modification to servers located in China without users' knowledge or consent. The campaign has been codenamed MaliciousCorgi. "Both contain identical malicious code -- the same spyware infrastructure running under different publisher names," security researcher Tuval Admoni said. What makes the activity particularly dangerous is that the extensions work exactly as advertised, providing autocomplete suggestions and explaining coding errors, thereby avoiding raising any red flags and lowering the users' suspicion. At the same time, the embedded malicious code is designed to read all of the contents of every file being opened, encode it in Base64 format, and send it to a server located in China ("aihao123[.]cn"). The process is triggered for every edit. The extensions also incorporate a real-time monitoring feature that can be remotely triggered by the server, causing up to 50 files in the workspace to be exfiltrated. Also present in the extension's web view is a hidden zero-pixel iframe that loads four commercial analytics software development kits (SDKs) to fingerprint the devices and create extensive user profiles. The four SDKs used are Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics, all of which are major data analytics platforms based in China. PackageGate Flaws Affect JavaScript Package Managers The disclosure comes as the supply chain security company said it identified six zero-day vulnerabilities in JavaScript package managers like npm, pnpm, vlt, and Bun that could be exploited to defeat security controls put in place to skip the automatic execution of lifecycle scripts during package installation. The flaws have been collectively named PackageGate. Defenses such as disabling lifecycle scripts ("--ignore-scripts") and committing lockfiles ("package-lock.json") have become crucial mechanisms to confronting supply chain attacks, especially in the aftermath of Shai-Hulud, which leverages postinstall scripts to spread in a worm-like manner to hijack npm tokens and publish malicious versions of the packages to the registry. However, Koi found that it's possible to bypass script execution and lockfile integrity checks in the four package managers. Following responsible disclosure, the issues have been addressed in pnpm (version 10.26.0), vlt (version 1.0.0-rc.10), and Bun (version 1.3.5). Pnpm is tracking the two vulnerabilities as CVE-2025-69264 (CVSS score: 8.8) and CVE-2025-69263 (CVSS score: 7.5). Npm, however, has opted not to fix the vulnerability, stating "users are responsible for vetting the content of packages that they choose to install." The Hacker News has reached out to npm/GitHub for further comment, and we will update the story if we hear back. "The standard advice, disable scripts and commit your lockfiles, is still worth following," security researcher Oren Yomtov said. "But it's not the complete picture. Until PackageGate is fully addressed, organizations need to make their own informed choices about risk."

Malicious Microsoft VSCode AI extensions might have hit over 1.5 million users

* Two VSCode extensions exfiltrated sensitive user data to Chinese servers * ChatGPT - 中文版 and ChatMoss had over 1.5 million installs combined * Extensions used hidden iframes, commands, and SDKs to steal files and track activity More than 1.5 million people may have had their sensitive data exfiltrated to Chinese hackers through two malicious extensions found on the VSCode Marketplace. Security researchers at Koi Security said they discovered two malicious browser extensions in Microsoft's Visual Studio Code (VSCode) Marketplace, the official Microsoft store for code editor add-ons. The extensions were advertised as AI-based coding assistants. Indeed, they worked as advertised, providing users with a simple and convenient way to access a Generative Artificial Intelligence (GenAI) tool to help with coding. However, the tools were also uploading sensitive data to a third-party server in China without telling the users about it. MaliciousCorgi According to Koi, these are the add-ons in question, which are both still available for download on the marketplace : ChatGPT - 中文版 (publisher: WhenSunset, 1.34 million installs) ChatMoss (CodeMoss) (publisher: zhukunpeng, 150k installs) Koi says both are part of the 'MaliciousCorgi' campaign, and both were sending the stolen data to the same server. To exfiltrate the data, they used three distinct mechanisms, it was said. The first one is via real-time monitoring of files opened in VS Code client. As soon as the victim opens a file, its contents are encoded in Base64 and relayed to the servers. "The moment you open any file - not interact with it, just open it - the extension reads its entire contents, encodes it as Base64, and sends it to a webview containing a hidden tracking iframe. Not 20 lines. The entire file," the researchers explained. The second mechanism is a server-controlled command that stealthily sends up to 50 files from the victim's workspace, while the third one is a zero-pixel iframe in the extension's webview where commercial analytics SDKs are loaded. These SDKs track user behavior, build identity profiles, and monitor other activity. Microsoft told BleepingComputer it was looking into the situation, but the add-ons are still available for download. Via BleepingComputer Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button! And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.