Jan 28, 2026
3 min read
On Microsoft's Visual Studio Code Marketplace, two AI coding assistants that appear to have quietly taken source code, API keys and configuration files from 1.5 million developers and routed the data to servers in China.The "ChatGPT - shàngàngín" and "ChatMoss (CodeMoss)" extensions were dubbed the MaliciousCorgi campaign by Koi Security researchers and provided the promised functionality - answering coding requests and offering auto-completion - along with sophisticated monitoring mechanisms built in.
Published under editors WhenSunset and zhukunpeng, the extension has amassed 1.34 million and 150,000 installs, respectively.Koi researchers noted in their January 2026 blog post that both will be on the market after the release date, and download files by opening and measuring up to 50 files on the remote control's workspace."They answer your coding questions. They explain your mistakes. They take every file you open, every development you make, and they send it all to China.
The Mechanics Beautiful Masked
The spyware worked in three ways: First, real-time monitoring was triggered by VS Code's onDidChangeTextDocument.
event reads the entire content of the file in the open - not just the scanned lines - encodes them in Base64 and streams them through a hidden iframe to the extension's web view."The moment you open any file - you don't interact with it, just open it - the extension reads its entire content, encodes it as Base64 and sends it to the monitor hidden line and does not contain the measure. The whole file," Koi detailed on his blog.
Server-directed mass flight enabled on channel 2: API response includes jumpUrl
Published by the WebView to call an GETFileslist
command to exfiltrate up to 50 files of all types except images, no user interaction required.A third channel loaded commercial analytics SDKs — Zhuge.io, GrowingIO, TalkingData and Baidu Analytics — into a zero-pixel iframe for deeper harvesting of profile users, fingerprint devices and priority high-value targets, according to BleepingComputer.
Domains such as aihao123.cn served as filtering endpoints and connected both extensions with the same infrastructure.The risks also extend to .env files containing API keys, SSH credentials, and cloud configurations, exposing companies' intellectual property.
Measure Microsoft responses
BleepingComputer contacted Microsoft on January 23, 2026;a spokesperson responded the next day: "We are investigating this report and will take appropriate action in accordance with our process and policy."As of late January, there has been no public confirmation of the removal, reflecting patterns of past events.Checkmarx Zero has flagged problems with ChatMoss since October 31, 2025, but market inactivity continued until analysis of Koi's behavior revealed the campaign, according to X's post @CheckmarxZero.
This delay underscores the wide review gap.According to several reports, including HackingPassion and Byte Iota, Microsoft removed 136 of the 110 malicious extensions reviewed in 2025 alone.Critics argue that constant scans on submissions enable failures against post-approval behavior, allowing dynamic malware to thrive amid positive reviews.
Ļoti agri: 2025. gada decembrī Koi atklāja "Bitcoin Black" un "Codo AI", kas izvietoja informācijas zagļus, lai lejupielādētu lietderīgās slodzes, izmantojot pakešu skriptus, tvertu ekrānuzņēmumus, WiFi paroles un pārlūkprogrammas sīkfailus.Microsoft confirmed their removal a few days after BleepingComputer.Kopš 2025. gada februāra ReversingLabs atklāja 19 paplašinājumus, kas slēpj ļaunprogrammatūru viltotā PNG formātā, un atklājumu skaits ir četrkāršojies gadu pēc gada.
Self-Bringing Accidents
The VS Code ecosystem’s openness amplifies threats. HelixGuard identified 12 extensions like Christine-devops1234.scraper exfiltrating code and credentials in October 2025, four active at disclosure per Cybersecurity News. TigerJack’s 11 extensions infected 17,000 developers with spyware and miners, lingering on OpenVSX post-Microsoft takedown, as noted by The Hacker News.
AI IDE forks like Cursor and Windsurf inherit hardcoded recommendations pointing to unclaimed OpenVSX namespaces, enabling namespace squatting, Koi warned in January 2026 via BleepingComputer. Wiz Research found 550 leaked secrets across 500+ extensions, risking malware propagation to 150,000 installs.
Checkmarx Zero systematically reports threats, coordinates removals, but emphasizes that AppSec must scrutinize IDE tools in addition to libraries."Marketplace maintainers can be reluctant to remove items without demonstrating 'smoking guns'," wrote @CheckmarxZero on X.
Protecting the developer's borders
Koi urges analyzing post-installation behavior: "Scan your environment for active threats. Block malicious extensions before installing them."Enterprises should implement whitelists, verify through GPOs, restrict to verified publishers, and disable automatic updates.X user @Anavem_ advises: "Check installed extensions and lock market installs."
VS Code commands 75.9% of professional developers per Stack Overflow's 2025 survey, making it the leading vector.As AI tools grow, along with intelligence comes efficiency, load adoption speed and runtime monitoring bridge verification rigor.
