Two malicious AI coding assistant extensions have been discovered in the official Visual Studio Code Marketplace, collectively amassing roughly 1.5 million installations. Behind the promised productivity gains, the plugins were silently exfiltrating source code and sensitive developer data to remote servers located in China, underscoring the growing risk of supply chain attacks targeting developer tools.
Malicious VS Code AI assistants: which extensions were involved
Security researchers identified the extensions “ChatGPT — 中文版” (publisher: WhenSunset, approximately 1.34 million installs) and “ChatMoss” (publisher: zhukunpeng, around 150,000 installs) as part of the operation. Both advertised themselves as AI assistants for programming and did provide code-completion and chat capabilities inside VS Code, which helped them appear legitimate.
The core problem is that neither extension disclosed extensive data collection or code transfer in its description or documentation. There was no clear notice about sending file contents, behavioral telemetry, or device information to third-party servers. Analysis showed that both extensions are tied to a single coordinated campaign, dubbed MaliciousCorgi, sharing common code, infrastructure, and data-exfiltration techniques.
How the MaliciousCorgi VS Code campaign steals code and data
1. Automatic exfiltration of every file opened in VS Code
The most damaging capability involves intercepting activity directly inside the editor. As soon as a developer opens any file in VS Code—even without editing it—the extension reads the file’s full contents, encodes the data in Base64, and sends it via a hidden iframe inside a webview to the attackers’ remote server.
Importantly, entire files are exfiltrated, not just snippets. Subsequent changes to those files are also tracked and resent, turning the extension into a persistent spyware component embedded in the development environment.
2. Targeted theft of up to 50 workspace files on demand
A second mechanism is activated by commands from the MaliciousCorgi command-and-control infrastructure. The extensions can upload up to 50 files from the current VS Code workspace per server request, allowing attackers to selectively pull high-value projects, repositories, or configuration files.
This on-demand exfiltration helps adversaries minimize network noise and avoid obvious spikes in outbound traffic, while still enabling focused theft of strategic assets.
3. Developer profiling via embedded analytics SDKs
The third component focuses not only on source code, but on detailed profiling of developers and their environments. Within a hidden, zero-size iframe in the webview, the extensions load commercial analytics SDKs such as Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics.
These platforms, commonly used for marketing and product analytics, can track user behavior, build behavioral profiles, and collect device fingerprints. Inside an IDE, this enables attackers to observe which projects are opened, how the editor is used, which features are invoked, and to gather technical details about the development environment.
What developer and corporate data is exposed
The undisclosed behavior of these malicious VS Code extensions creates significant risk for both individual developers and organizations. Among the data potentially exposed are:
Proprietary source code from closed-source products, internal libraries, experimental prototypes, and customer-specific solutions. Loss of such code can lead to intellectual property theft and competitive disadvantage.
Configuration and infrastructure files, including settings that reveal internal architecture, service endpoints, network topology, and CI/CD or deployment parameters. These details provide valuable reconnaissance data for subsequent targeted attacks.
Credentials and secrets, such as database connection strings, cloud service configurations, and especially .env files containing API keys, tokens, and passwords. Compromise of these secrets frequently escalates from mere data leakage to full-scale infrastructure breaches.
Why malicious VS Code extensions are a critical supply chain threat
Integrated development environments (IDEs) and their extensions are increasingly viewed by attackers as high-value entry points into corporate networks. Developers often have privileged access to repositories, CI/CD pipelines, cloud environments, and internal services, making their workstations a strategic target.
Extensions from the official Visual Studio Code Marketplace typically benefit from implicit trust. This trust amplifies the impact of software supply chain attacks, where malicious or compromised components are distributed through legitimate channels. Recent industry analyses consistently highlight growth in attacks that leverage plugins, packages, and dependencies as vehicles for malware and espionage.
Practical security measures to protect IDEs and source code
Install only vetted, reputable extensions. Favor extensions from well-known vendors with a clear track record, transparent privacy practices, and preferably open-source code that can be reviewed. AI coding assistants from unknown publishers should be treated with caution, regardless of how convenient they appear.
Apply least privilege and isolate sensitive work. Separate workspaces for sensitive and non-sensitive projects. For highly critical repositories, use a dedicated VS Code profile, separate operating system account, or even a distinct machine or virtual environment with a minimal, audited extension set.
Monitor outbound network activity from developer machines. Organizations should inspect egress traffic, flag unusual requests to unfamiliar domains, and leverage DLP (Data Loss Prevention) and EDR (Endpoint Detection and Response) tools to detect and block suspicious exfiltration patterns.
Define extension policies and train development teams. Establish internal policies governing which extensions and third-party tools are allowed, and conduct regular awareness training on the risks of malicious plugins—especially AI assistants and tools that require access to source code or credentials.
The MaliciousCorgi campaign illustrates how easily a seemingly useful AI assistant can conceal a fully functional espionage platform inside a development environment. Large installation numbers and subtle behavior make such threats particularly dangerous. Organizations and developers should reevaluate how much implicit trust is granted to VS Code extensions, enforce stricter controls over tooling, and prioritize protection of source code and secrets. Treating the IDE as a critical asset and hardening it accordingly will significantly raise the bar for attackers seeking to turn everyday development tools into channels for data theft.
