Two seemingly innocuous AI coding assistants on Microsoft’s Visual Studio Code Marketplace have siphoned source code and secrets from 1.5 million developers, channeling data to servers in China. Dubbed the MaliciousCorgi campaign by researchers at Koi Security, the extensions “ChatGPT – 中文版” and “ChatMoss (CodeMoss)” masquerade as helpful tools while executing sophisticated surveillance.
Published under publishers WhenSunset and zhukunpeng, the extensions boast 1.34 million and 150,000 installs respectively. They deliver promised AI functionality — code suggestions and chat interfaces — but embed spyware that activates silently upon file opens. Koi Security’s analysis reveals identical malicious codebases linking both to shared infrastructure on domain aihao123.cn.
“The moment you open any file – not interact with it, just open it – the extension reads its entire contents, encodes it as Base64, and sends it to a webview containing a hidden tracking iframe,” Koi researchers detailed in their report, emphasizing the breach captures full files, not mere context snippets.
MaliciousCorgi’s Triple Theft Channels
The operation unfolds across three channels. Channel one triggers on file opens or edits via VS Code’s event, Base64-encoding contents for exfiltration through an invisible iframe. Channel two enables server-directed raids: responses include a JSON command like {“type”: “getFilesList”}, prompting the extension to harvest up to 50 workspace files — excluding images — without user notice.
Channel three deploys a zero-pixel iframe loading analytics SDKs from Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics. Titled “ChatMoss数据埋点” or “ChatMoss Data Tracking,” it fingerprints devices, tracks behaviors, and profiles users to pinpoint high-value targets for deeper theft.
Risks extend to proprietary algorithms, .env files with API keys, SSH credentials, and cloud configs. As of January 23, 2026, both extensions lingered on the marketplace despite Koi’s disclosure, per BleepingComputer.
Microsoft’s Measured Response
BleepingComputer alerted Microsoft, prompting a spokesperson to state on January 24: “We are investigating this report and will take appropriate action in accordance with our process and policies.” No confirmation of removal surfaced by press time, echoing delays in prior incidents. Checkmarx Zero noted reporting ChatMoss-related issues as early as October 31, 2025, with marketplace inaction until recent scrutiny.
This lapse underscores persistent vetting gaps. Microsoft removed 110 malicious extensions in 2025 alone, yet threats proliferate. The MaliciousCorgi tools evaded scans by blending legitimate AI wrappers — ChatGPT and DeepSeek integrations — with undocumented exfiltration, as outlined in Koi Security’s blog.
Developers face acute exposure in trusted environments. X posts from industry watchers, including @CheckmarxZero, amplify calls for audits: “marketplace maintainers can be reluctant to remove things without ‘smoking gun’ evidence of malice.”
Broader Marketplace Menace
MaliciousCorgi fits a pattern of IDE supply-chain assaults. In December 2025, Koi uncovered “Bitcoin Black” and “Codo AI” from publisher BigBlack, which deployed infostealers via DLL hijacking of Lightshot binaries. These snatched screenshots, WiFi passwords, clipboard data, browser cookies, and crypto wallets like MetaMask, per The Hacker News.
“Your code. Your emails. Your Slack DMs. Whatever’s on your screen, they’re seeing it too,” warned Koi’s Idan Dardikman. Microsoft swiftly yanked those — Bitcoin Black on December 5, Codo AI on December 8 — but low install counts (under 30) limited fallout. BleepingComputer confirmed removals in a follow-up.
Earlier, ReversingLabs flagged clipboard-helper-vscode and code-ai-assistant for Discord webhook exfiltration, while HelixGuard identified 12 extensions like Christine-devops1234.scraper stealing code and credentials, four active at disclosure per Cybersecurity News.
Supply-Chain Echoes Beyond VSCode
The peril spans ecosystems. Socket researchers tied malicious Go packages typosquatting Google’s UUID library to data dumps on dpaste.org; npm saw 420 elf-stats-* shells; Rust’s finch-rust loaded credential-stealer sha-rust. Koi linked these to developer-targeted campaigns, as reported by Cybernews.
GlassWorm malware self-propagated via OpenVSX and VSCode registries, infecting 35,800 times with invisible-character obfuscation, according to BleepingComputer. VSCode forks like Cursor and Windsurf inherit hardcoded recommendations, exposing users to namespace hijacks, Koi noted in related findings.
TigerJack’s 11 extensions, including C++ Playground, mined crypto and backdoored over 17,000 installs, persisting on OpenVSX post-Microsoft bans, per Wiz research.
Defensive Imperatives for Dev Teams
Microsoft’s multi-step scans — sandboxed runtime checks and periodic sweeps — fall short against functional malware. Koi urges post-install behavioral analysis: “Scan your environment to find threats already running. Block malicious extensions before they’re installed.”
Best practices include restricting to verified publishers, auditing extensions via tools like Koi or Checkmarx Zero, disabling auto-updates, and GPO-enforcing allowlists. X discussions highlight enterprise needs: @Anavem_ advises, “audit installed extensions and lock down marketplace installs.”
Incidents like susvsex’s AI-generated ransomware test Microsoft’s review process, per TechRadar, signaling escalating sophistication. As AI tools explode, developers must balance velocity with verification to safeguard intellectual property.
