Malicious VS Code AI Extensions with 1.5 Million Installs Steal Developer Source Code - The Hacker News

Malicious VS Code AI Extensions with 1.5 Million Installs Steal Developer Source Code Ravie LakshmananJan 26, 2026AI Security / Vulnerability Cybersecurity researchers have discovered two malicious Microsoft Visual Studio Code (VS Code) extensions that are advertised as artificial intelligence (AI)-powered coding assistants, but also harbor covert functionality to siphon developer data to China-based servers. The extensions, which have 1.5 million combined installs and are still available for download from the official Visual Studio Marketplace, are listed below - ChatGPT - 中文版 (ID: whensunset.chatgpt-china) - 1,340,869 installs ChatGPT - ChatMoss（CodeMoss）(ID: zhukunpeng.chat-moss) - 151,751 installs Koi Security said the extensions are functional and work as expected, but they also capture every file being opened and every source code modification to servers located in China without users' knowledge or consent. The campaign has been codenamed MaliciousCorgi. "Both contain identical malicious code -- the same spyware infrastructure running under different publisher names," security researcher Tuval Admoni said. What makes the activity particularly dangerous is that the extensions work exactly as advertised, providing autocomplete suggestions and explaining coding errors, thereby avoiding raising any red flags and lowering the users' suspicion. At the same time, the embedded malicious code is designed to read all of the contents of every file being opened, encode it in Base64 format, and send it to a server located in China ("aihao123[.]cn"). The process is triggered for every edit. The extensions also incorporate a real-time monitoring feature that can be remotely triggered by the server, causing up to 50 files in the workspace to be exfiltrated. Also present in the extension's web view is a hidden zero-pixel iframe that loads four commercial analytics software development kits (SDKs) to fingerprint the devices and create extensive user profiles. The four SDKs used are Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics, all of which are major data analytics platforms based in China. PackageGate Flaws Affect JavaScript Package Managers The disclosure comes as the supply chain security company said it identified six zero-day vulnerabilities in JavaScript package managers like npm, pnpm, vlt, and Bun that could be exploited to defeat security controls put in place to skip the automatic execution of lifecycle scripts during package installation. The flaws have been collectively named PackageGate. Defenses such as disabling lifecycle scripts ("--ignore-scripts") and committing lockfiles ("package-lock.json") have become crucial mechanisms to confronting supply chain attacks, especially in the aftermath of Shai-Hulud, which leverages postinstall scripts to spread in a worm-like manner to hijack npm tokens and publish malicious versions of the packages to the registry. However, Koi found that it's possible to bypass script execution and lockfile integrity checks in the four package managers. Following responsible disclosure, the issues have been addressed in pnpm (version 10.26.0), vlt (version 1.0.0-rc.10), and Bun (version 1.3.5). Pnpm is tracking the two vulnerabilities as CVE-2025-69264 (CVSS score: 8.8) and CVE-2025-69263 (CVSS score: 7.5). Npm, however, has opted not to fix the vulnerability, stating "users are responsible for vetting the content of packages that they choose to install." When reached for comment, a GitHub spokesperson told The Hacker News that's working actively to address the new issue as npm actively scans for malware in the registry. "If a package being installed through git contains a prepare script, its dependencies and devDependencies will be installed. As we shared when the ticket was filed, this is an intentional design and works as expected," the company said. "When users install a git dependency, they are trusting the entire contents of that repository, including its configuration files." The Microsoft-owned subsidiary has also urged projects to adopt trusted publishing and granular access tokens with enforced two-factor authentication (2FA) to secure the software supply chain. As of September 2025, GitHub has deprecated legacy classic tokens, limited granular tokens with publishing permissions to a shorter expiration, and removed the option to bypass 2FA for local package publishing. "The standard advice, disable scripts and commit your lockfiles, is still worth following," security researcher Oren Yomtov said. "But it's not the complete picture. Until PackageGate is fully addressed, organizations need to make their own informed choices about risk." (The story was updated after publication to include a response from GitHub.) Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  AI Security, cybersecurity, data exfiltration, JavaScript, Malware, Open Source, Visual Studio Code, Vulnerability Trending News Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Load More ▼ Popular Resources Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Identity Controls Checklist: Find Missing Protections in Apps Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026