Malicious AI VS Code Extensions With 1.5M Installs Steal Source Code, Secrets, and Developer Profiles
The VS Code extension ecosystem is now a frontline supply chain target. Researchers uncovered two AI-themed Marketplace extensions with about 1.5 million combined installs that provide legitimate coding assistance while quietly siphoning source code, configuration files, and developer telemetry to attacker-controlled infrastructure. This report breaks down what the extensions collect, how they hide exfiltration in webviews, what indicators to hunt for, and how security teams can harden developer environments without blocking productivity.
What happened
Researchers identified two VS Code Marketplace extensions marketed as AI coding assistants that secretly collect developer data and transmit it to attacker-controlled infrastructure. The extensions remain functional and deliver the promised AI assistance, which is a key part of the deception. The undisclosed behavior is the real issue: silent collection of file contents, change events, and user profiling data that can expose proprietary code and embedded secrets.
Campaign name linking both extensions via shared code and backend infrastructure
The campaign has been tracked under the name MaliciousCorgi and is linked by shared code and shared backend infrastructure across both extensions.
The malicious extensions (names, publishers, scale)
At the time of reporting, the two extensions were:
| Extension | Publisher | Installs |
|---|---|---|
| ChatGPT – 中文版 | WhenSunset | ~1.34 million |
| ChatMoss (CodeMoss) | zhukunpeng | ~150,000 |
Combined, this places the exposure at approximately 1.5 million installations, which is unusually high for a malicious extension incident and makes it relevant for both individual developers and enterprise security teams.
What data is at risk
VS Code workspaces frequently contain high-value material, including:
| Data Type | Risk Level |
|---|---|
| Proprietary source code and unreleased features | Critical |
| Infrastructure configuration and internal endpoints | Critical |
| .env files with API keys and database credentials | Critical |
| Cloud service credentials (service accounts, JSON keys, access tokens) | Critical |
| DevOps artifacts (CI variables, deployment scripts, IaC templates) | High |
Stolen secrets can enable downstream compromise of Git repos, CI runners, cloud subscriptions, and production services
If exfiltration occurs, the impact is not limited to a single machine. Stolen secrets can enable downstream compromise of Git repositories, CI runners, cloud subscriptions, production services, and customer data environments.
How the data theft works (three parallel channels)
The extensions implement three distinct collection channels that run alongside the legitimate AI assistance features.
Channel 1: Real-time file monitoring (open and edit)
As soon as a developer opens a file in VS Code, the extension reads the entire file contents, encodes it (Base64), and transmits it via a hidden webview mechanism. This triggers on file open, not only on active editing. Changes are also captured as you type, enabling continuous exfiltration of code in motion.
Channel 2: Server-controlled workspace harvesting (up to 50 files)
A second mechanism allows the remote server to trigger stealth collection of up to 50 files from the workspace. This is important because it reduces attacker dependence on what the victim happens to open. It turns exfiltration into an on-demand capability controlled by the operator.
Channel 3: Profiling and fingerprinting inside the editor
The extensions embed a zero-pixel iframe inside a webview to load commercial analytics SDKs, effectively tracking user behavior and device identity signals from within the IDE.
| Analytics SDK | Purpose |
|---|---|
| Zhuge.io | User behavior analytics |
| GrowingIO | Product analytics |
| TalkingData | Mobile/app analytics |
| Baidu Analytics | Web analytics |
The result is a richer profile of the developer and their activity, not just their code.
Why VS Code extensions are a high-trust attack surface
VS Code's extension host runs extensions with the same effective permissions as the editor itself. That means an extension can:
- Read and write files
- Make network requests
- Run processes
This is exactly why malicious extensions are such a powerful supply chain vector: once installed, they sit in the developer workflow and observe high-signal data all day.
Workspace Trust helps but is NOT a complete safety boundary against malicious extensions
Workspace Trust helps reduce risk when opening unfamiliar repositories, but it is not a complete safety boundary against a malicious extension. Enterprise security cannot rely on prompts and trust dialogs as primary controls. It needs enforceable policy.
Immediate actions (do these now)
1) Identify and remove the extensions
On developer endpoints, check installed extensions and remove anything matching the suspicious identifiers.
Quick check (local machine):
code --list-extensions | findstr /i "whensunset.chatgpt-china zhukunpeng.chat-moss"
If present, uninstall:
code --uninstall-extension whensunset.chatgpt-china
code --uninstall-extension zhukunpeng.chat-moss
Then close all VS Code windows and relaunch to ensure the extension host is restarted.
2) Assume secret exposure and rotate credentials
If the extensions were installed on machines that access sensitive repositories or cloud environments:
| Action | Priority |
|---|---|
| Rotate API keys found in .env and config files | Critical |
| Rotate cloud service account keys and tokens | Critical |
| Revoke and reissue CI secrets and deployment credentials | Critical |
| Audit recent access logs for cloud and SaaS services | High |
3) Hunt for evidence of exfiltration
Focus on workstation telemetry and DNS or proxy logs. If you have EDR, investigate unusual VS Code extension host network activity, especially connections that do not align with expected AI assistant endpoints.
4) Reduce future risk with extension governance
For organizations:
- Enforce allowlisting of approved extensions
- Prefer verified publishers and internal vetting
- Restrict Marketplace usage where feasible
- Monitor for unusual extension install spikes and newly trusted publishers
Microsoft notes that when malware is removed from the Marketplace, extensions can be blocked in VS Code and forced-uninstalled, but security teams should still implement prevention and detection because the dwell time before removal is the critical risk window.
Indicators of compromise (IOCs)
Use these as pivots for inventory and threat hunting.
Extension identifiers
| Identifier | Extension |
|---|---|
whensunset.chatgpt-china | ChatGPT – 中文版 |
zhukunpeng.chat-moss | ChatMoss / CodeMoss |
Domain
| IOC | Type |
|---|---|
aihao123.cn | C2 domain |
Behavioral indicators
| Indicator | Priority |
|---|---|
| VS Code processes making frequent outbound requests while files are merely opened | High |
| Repeated base64-like payload patterns in outbound traffic (large encoded blobs) | Critical |
| Webview-related network calls tied to analytics endpoints unusual for a code editor | High |
| Sudden access to sensitive files without corresponding developer actions (EDR file read telemetry) | Critical |
Practical hardening checklist for developer workstations
| Control | Implementation |
|---|---|
| Remove unused extensions aggressively | Regular audits |
| Treat AI assistants as data-processing tools | Document where code context is sent |
| Enforce MFA and conditional access | Source control and cloud portals |
| Use short-lived credentials | Workload identity where possible |
| Separate production credentials from laptops | Brokered access, scoped tokens, vaulting |
| Implement outbound filtering and alerting | High-value dev endpoint group |
Closing
This incident is not just another "malicious extension" story. It demonstrates a mature tactic: deliver real functionality while quietly harvesting code and identity signals at scale.
If your security program treats developer tooling as out of scope, you are leaving a high-privilege, high-context environment unmanaged.
Extension governance, secret hygiene, and endpoint monitoring for developer devices are now baseline controls
Extension governance, secret hygiene, and endpoint monitoring for developer devices are now baseline controls for modern enterprise defense.
Quick removal commands
Windows (PowerShell):
code --uninstall-extension whensunset.chatgpt-china
code --uninstall-extension zhukunpeng.chat-moss
code --uninstall-extension whensunset.chatgpt-china
code --uninstall-extension zhukunpeng.chat-moss
Frequently Asked Questions
They provide real AI coding assistance, which helps them build trust and maintain high install counts while exfiltration runs in the background.
Source code theft plus secret leakage. That combination can enable repo compromise, CI pipeline abuse, cloud credential takeover, and production intrusion.
Workspace Trust reduces risk from untrusted projects, but it is not a guarantee against malicious extensions. Enterprises should rely on extension allowlisting and trusted publishers, not prompts.
Start with any cloud credentials, CI secrets, and API keys that existed on the affected machine or in the opened repositories. Then assess broader exposure based on developer access scope.
Implement an approved extension catalog, enforce publisher trust, continuously inventory installed extensions, and use staged rollout for new tools after lightweight security review.
Comments
Want to join the discussion?
Create an account to unlock exclusive member content, save your favorite articles, and join our community of IT professionals.
New here? Create a free account to get started.