On January 26, 2026, cybersecurity researchers at Koi Security discovered two malicious extensions for Microsoft Visual Studio Code (VS Code), which have a combined total of over 1.5 million downloads from the official VS Code Marketplace.

Main Features

• ChatGPT – 中文版 (ID: whensunset.chatgpt-china) – Installs: 1,340,869
• ChatMoss – CodeMoss (ID: zhukunpeng.chat-moss) – Installs: 151,751

Malicious Functionality

Despite touting themselves as artificial intelligence-powered coding assistants, these extensions contain covert functionality that captures and transmits developers’ source code to servers in China.

• The malicious activity is organized under a codename: \”MaliciousCorgi.\”
• Captures user’s entire opened files, encode them into Base64 format, and then transmit this information to their Chinese server (\\\”aihao123[.]cn\\\”). This process occurs each time a file is edited.
• Incorporates real-time monitoring features that can be triggered remotely by an attacker on these servers.

The embedded code also includes four commercial analytics software development kits (SDKs) from China: Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics. These SDKs load into hidden iframe elements within the extension’s web view, significantly compromising user privacy and security.

Additional Insights

Supply chain security company, PackageGate, identified six zero-day vulnerabilities in popular JavaScript package managers such as npm, pnpm, vlt, and Bun. These flaws could allow attackers to bypass security controls put in place during the installation of packages.

• Identified Flaws: PackageGate named these issues collectively as \”PackageGate.\”

Key Vulnerabilities and Their Implications

– Scope of Impact: Both VS Code extensions have the potential to expose sensitive developer data, including source code, file contents, and debugging information.

• Data Exfiltration: The malicious activities pose a serious threat to developers’ privacy, as they continuously transmit confidential files to servers in China. This not only violates user consent but also exposes intellectual property risks.

Recommendations for Developers

– Disable Scripts and Lockfiles: Users are advised to disable lifecycle scripts and commit their `package-lock.json` files. These actions are effective defensive measures against supply chain attacks.

• Use Trusted Publishing Mechanisms: Companies should adopt trusted publishing practices, enforce granular access tokens with two-factor authentication (2FA), and manage these permissions more securely.

Conclusion

The discovery of malicious VS Code extensions underscores the growing threat landscape in cybersecurity. As developers become increasingly reliant on third-party tools like AI-powered coding assistants, vigilant monitoring and proactive measures are essential to safeguard against stealthy threats that masquerade as useful features.

Koi Security urged users to be cautious when downloading VS Code extensions from unofficial sources or unverified channels to protect themselves against such malicious activities.