Full Report
Cybersecurity researchers have discovered two malicious Microsoft Visual Studio Code (VS Code) extensions that are advertised as artificial intelligence (AI)-powered coding assistants, but also harbor covert functionality to siphon developer data to China-based servers. The extensions, which have 1.5 million combined installs and are still available for download from the official Visual Studio
Analysis Summary
# Incident Report: Malicious VS Code AI Extensions Exfiltrating Developer Source Code
## Executive Summary
Cybersecurity researchers discovered two popular, AI-powered Microsoft VS Code extensions that were covertly designed to exfiltrate sensitive developer source code and user profiling data to servers located in China. The extensions accumulated 1.5 million combined installs before the campaign, codenamed MaliciousCorgi, was publicly disclosed. The immediate impact is a massive potential compromise of proprietary source code and developer environments via software supply chain tampering.
## Incident Details
- Discovery Date: January 26, 2026 (Reported by Koi Security)
- Incident Date: Functionality active from deployment until discovery/discontinuation.
- Affected Organization: Developers using the malicious extensions on the Visual Studio Marketplace.
- Sector: Technology/Software Development (Global)
- Geography: Data exfiltration targeting China-based servers.
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed, coinciding with the publication/installation of the extensions.
- **Vector:** Malicious Software Supply Chain Compromise (Third-Party Extensions).
- **Details:** Attackers published two seemingly legitimate, AI-powered VS Code extensions: *ChatGPT - 中文版* (1.34M installs) and *ChatGPT - ChatMoss(CodeMoss)* (151K installs).
### Lateral Movement
- **Date/Time:** Ongoing, triggered by file interaction.
- **Vector:** Inherent permissions granted to the VS Code extension.
- **Details:** Once installed, the extensions executed identical malicious code across user workspaces, allowing the monitoring and exfiltration scripts to run automatically whenever a file was opened or edited.
### Data Exfiltration/Impact
- **Date/Time:** Triggered upon file activity (open/edit) or remote command.
- **Technique:** Continuous monitoring and scheduled extraction.
- **Details:**
1. **Continuous Collection:** All opened files and source code modifications were captured, Base64 encoded, and sent to the China-based server (`aihao123[.]cn`).
2. **Remote Trigger:** The external server could remotely trigger an extraction of up to 50 files from the developer's current workspace.
3. **Profiling:** Four Chinese analytics SDKs (Zhuge.io, GrowingIO, TalkingData, Baidu Analytics) loaded via a hidden iframe to fingerprint devices and build user profiles.
### Detection & Response
- **Date/Time:** January 26, 2026.
- **Vector:** External security research (Koi Security).
- **Details:** Researchers publicly disclosed the findings. As a result, the extensions were noted as being available for download from the official Visual Studio Marketplace, strongly implying they were or should have been removed following coordination with Microsoft.
## Attack Methodology
| Stage | Method |
| :--- | :--- |
| **Initial Access** | Software Supply Chain Injection via official Visual Studio Marketplace repository. |
| **Persistence** | Functionality embedded directly within a trusted, actively-used development tool (VS Code Extension). |
| **Privilege Escalation** | N/A (Relied on standard user permission granted to VS Code extensions). |
| **Defense Evasion** | Extensions functioned as advertised (providing AI coding assistance), lowering user suspicion. |
| **Credential Access** | Not explicitly targeting credentials, but source code exposure could lead to credential compromise. |
| **Discovery** | Implicit discovery via scanning the current VS Code workspace files upon access/edit. |
| **Lateral Movement** | N/A (Focused on data within the environment where the extension runs). |
| **Collection** | Reading content of all opened and modified files, Base64 encoding. Forced exfiltration of up to 50 files via remote command. |
| **Exfiltration** | Transmission of encoded data to external China-based servers. |
| **Impact** | Leakage of proprietary and intellectual property (source code) and developer profiling. |
## Impact Assessment
- **Financial:** Costs associated with breach investigation, remediation, and potential lost intellectual property value (Undisclosed).
- **Data Breach:** Massive exposure of developer source code, project logic, and configuration files belonging to up to 1.5 million installations.
- **Operational:** Minimal direct operational disruption to developer functionality, as the malicious code performed alongside legitimate functions. High risk of downstream security incidents due to leaked code.
- **Reputational:** Significant damage to trust associated with the Visual Studio Marketplace and official extension ecosystem.
## Indicators of Compromise
- **Network Indicators (Defanged):** Communication to `aihao123[.]cn`. Network connections made by the VS Code extension process utilizing commercial analytics SDKs (Zhuge.io, GrowingIO, TalkingData, Baidu Analytics).
- **File Indicators:** Presence of the malicious code components within the extension packages (`whensunset.chatgpt-china` and `zhukunpeng.chat-moss`).
- **Behavioral Indicators:** Base64 encoded data transmission upon file open or edit events within the IDE workspace; execution of hidden zero-pixel iframes in the extension's web view.
## Response Actions
- **Containment Measures:** Immediate user recommendation to uninstall both malicious extensions. Coordination with Microsoft to remove the malicious packages from the Visual Studio Marketplace.
- **Eradication Steps:** Users must verify their workspaces and local systems for any remnant scripts or unauthorized access, assuming all code handled by the extension is compromised.
- **Recovery Actions:** Developers using the extensions should conduct code reviews, rotate any secrets or keys accidentally stored in the source code, and mandate stricter tooling vetting.
## Lessons Learned
- **AI Tool Trust:** Functionality (even high-value functionality like AI assistance) does not guarantee security. Functionality that requires access to the fundamental data of the environment (like source code) must be scrutinized beyond basic operational testing.
- **Supply Chain Vigilance:** Malicious actors are effectively using proprietary analytics SDKs as a secondary method for fingerprinting and user profiling, increasing the covert persistence of the threat.
- **Scale of Abuse:** A significant number of users (1.5 million) will install extensions based purely on visibility and perceived utility, regardless of the publisher's reputation.
## Recommendations
- **Pre-Installation Vetting:** Implement mandatory static analysis or sandbox testing for all third-party development extensions before they are permitted in secured developer environments.
- **Least Privilege for IDEs:** Future VS Code security research should focus on limiting the breadth of file system access required by extensions unless strictly necessary.
- **Mandatory Audits:** Organizations should perform periodic audits of installed development tooling against established watchlists for supply chain compromises.