Cybersecurity researchers have uncovered a serious threat hiding inside popular coding tools. Two Malicious VS Code AI Extensions, installed more than 1.5 million times, were quietly stealing developers’ source code and sending it to servers in China.
These extensions looked helpful and worked exactly as promised. That is what made them dangerous.
What Are Malicious VS Code AI Extensions?
The malicious tools were published on the official Visual Studio Marketplace and claimed to be AI-powered coding assistants. They offered features like code suggestions, error explanations, and autocomplete help.
The two extensions are:
- ChatGPT – 中文版 (ID: whensunset.chatgpt-china) with over 1.34 million installs
- ChatGPT – ChatMoss (CodeMoss) (ID: zhukunpeng.chat-moss) with over 150,000 installs
Security researchers from Koi Security discovered that both extensions contained the same hidden spyware code. The campaign has been named MaliciousCorgi.
How the Source Code Was Stolen
According to Koi Security researcher Tuval Admoni, the extensions secretly tracked everything developers did inside VS Code says Microsoft.
Here’s what the malicious code did:
- Read every file opened in the editor
- Tracked every code change made by the developer
- Encoded the data using Base64
- Sent it to a China-based server called aihao123[.]cn
This process happened quietly, without user permission. Every edit triggered another data transfer.
Worse, the server could remotely command the extension to steal up to 50 files at once from a developer’s workspace.
Hidden Tracking and Device Fingerprinting
The extensions also loaded a hidden zero-pixel iframe inside their web view. This iframe silently ran four Chinese analytics tools:
- Zhuge.io
- GrowingIO
- TalkingData
- Baidu Analytics
These tools can fingerprint devices and build detailed user profiles. Most users had no idea this tracking was happening.
Why Developers Didn’t Notice
The biggest problem was trust. These Malicious VS Code AI Extensions worked normally. They helped with code, explained errors, and looked safe.
Because nothing seemed broken or suspicious, users had no reason to question them.
A Bigger Supply Chain Security Problem
The discovery came alongside another warning. Koi Security also found multiple zero-day flaws in JavaScript package managers like npm, pnpm, vlt, and Bun.
Some of these issues have now been fixed. Others, like those in npm, remain open. GitHub, which owns npm, said users are responsible for checking the packages they install.
Security experts warn that even trusted defenses like lockfiles and disabling scripts are not enough anymore.
What Developers Should Do Now
If you use VS Code, review your installed extensions immediately. Remove any AI coding tools you don’t fully trust.
Stick to well-known publishers. Read reviews carefully. Limit permissions when possible. And remember, even official marketplaces can host threats.
Malicious VS Code AI Extensions show how easy it is for attackers to hide in plain sight. For developers, staying cautious is no longer optional.
Also Read: Palantir CEO Says AI ‘Will Destroy’ Humanities Jobs
