Malicious AI Extensions on VSCode Marketplace: How Developer Data Was Stolen at Scale

Malicious AI Extensions on VSCode Marketplace: How Developer Data Was Stolen at Scale

Alex Cipher's Profile Pictire Alex Cipher 7 min read

Imagine opening a file in your favorite code editor and, without a single click or keystroke, your proprietary code is whisked away to a remote server. This is not a hypothetical scenario but a reality for millions of developers who installed popular AI-powered extensions from the Visual Studio Code (VSCode) Marketplace. Security researchers at Koi Security uncovered that extensions like “ChatGPT – 中文版” and “ChatMoss (CodeMoss)” covertly captured and transmitted file contents the moment a file was opened—no user interaction required. The scale is staggering: over 1.34 million installs for just one of these extensions (BleepingComputer).

These malicious add-ons didn’t stop at single files. Attackers could remotely trigger bulk exfiltration of up to 50 files at a time, all while profiling users with commercial analytics SDKs embedded in invisible iframes. The result? A potent mix of stolen intellectual property, compromised credentials, and detailed user fingerprints, all harvested under the guise of AI productivity tools. The ongoing presence of these extensions on the marketplace, even after public exposure, highlights the urgent need for vigilance and improved supply chain security (BleepingComputer).

How Malicious AI Extensions Exfiltrate Developer Data: The Sneaky Tech Behind the Breach

Real-Time File Content Capture and Transmission

One of the most insidious techniques employed by the malicious AI extensions identified on the Visual Studio Code (VSCode) Marketplace is the immediate capture and exfiltration of file contents as soon as a file is opened within the editor. According to security research by Koi Security, these extensions do not require the user to interact with or modify the file; simply opening it is sufficient to trigger the data theft mechanism. The entire contents of the file are read, encoded in Base64, and then transmitted covertly to a remote server controlled by the attackers (BleepingComputer).

This process is executed via a hidden tracking iframe embedded within the extension’s webview. The use of Base64 encoding serves to obfuscate the data, making detection and interception by standard security tools more challenging. Notably, this mechanism is not limited to a particular file type or size; any file opened in the workspace is subject to this real-time surveillance and exfiltration.

The scale of the threat is underscored by the popularity of the affected extensions. For instance, the “ChatGPT – 中文版” extension, published by WhenSunset, had amassed approximately 1.34 million installs, while “ChatMoss (CodeMoss)” by zhukunpeng had around 150,000 installs at the time of discovery (BleepingComputer). This widespread adoption amplifies the potential impact, as a vast number of developers could have unknowingly exposed sensitive project files, proprietary source code, and confidential configuration data.

Server-Initiated Bulk File Harvesting

Beyond the immediate capture of individual files, the malicious extensions also implement a more aggressive data collection strategy: server-initiated bulk file harvesting. This mechanism allows the attackers to remotely trigger the exfiltration of up to 50 files from the victim’s workspace in a single operation (BleepingComputer). The command to initiate this mass data transfer is controlled from the attackers’ backend infrastructure, giving them the flexibility to target specific files or directories based on their reconnaissance.

The technical sophistication of this approach lies in its stealth and adaptability. By limiting the number of files harvested per command, the extensions can avoid raising immediate suspicion from the user or triggering automated security alerts due to excessive network activity. Moreover, the selection of files can be dynamically adjusted, enabling the attackers to prioritize files likely to contain valuable information, such as environment configuration files, API keys, or proprietary algorithms.

This server-controlled harvesting capability transforms the extensions from passive data siphons into active espionage tools, capable of conducting targeted raids on developer workspaces. The ability to exfiltrate multiple files in a coordinated manner increases the risk of comprehensive data breaches, particularly for organizations that rely on VSCode for collaborative software development.

Covert User Profiling and Device Fingerprinting

In addition to stealing work files, the malicious extensions employ advanced user profiling and device fingerprinting techniques. This is accomplished through the surreptitious loading of commercial analytics Software Development Kits (SDKs) within a zero-pixel iframe embedded in the extension’s webview. The SDKs identified include Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics (BleepingComputer).

These analytics tools are typically used by legitimate software developers to monitor user engagement and application performance. However, in this context, they are repurposed to build detailed identity profiles of the extension’s users. The data collected can include:

  • User behavior patterns within the editor
  • Device and operating system fingerprints
  • Network and geolocation metadata
  • Session duration and frequency of use

This information enables the attackers to correlate stolen files with specific users and devices, enhancing the value of the exfiltrated data for subsequent exploitation or resale. The use of multiple analytics SDKs increases the granularity and reliability of the profiling, making it possible to track users across different sessions and potentially across different projects or organizations.

Exploitation of Undocumented and Hidden Extension Functionality

A critical enabler of these attacks is the exploitation of undocumented and hidden functionalities within the VSCode extension architecture. The malicious extensions leverage the permissive nature of the VSCode Marketplace, which allows publishers to distribute extensions with minimal oversight or code review. By embedding malicious code within seemingly legitimate features, such as AI-powered code assistance, the attackers are able to evade detection during the initial installation and usage phases (BleepingComputer).

The extensions do not disclose their data collection activities or seek user consent for the transmission of sensitive information to remote servers. This lack of transparency is compounded by the use of obfuscated code and encrypted communication channels, which further hinder detection by traditional security tools or manual inspection.

Moreover, the extensions are designed to blend in with the rapidly growing category of AI coding assistants, making them attractive to developers seeking productivity enhancements. The attackers exploit this trend by offering genuine AI functionality alongside the malicious payload, increasing the likelihood of widespread adoption and persistent presence within developer environments.

Risks to Confidentiality and Organizational Security

The technical mechanisms described above have far-reaching implications for the confidentiality and security of developer data. The types of information at risk include:

  • Proprietary source code and intellectual property
  • Configuration files containing sensitive operational parameters
  • Cloud service credentials and API keys stored in .env files
  • Internal documentation and project plans

The exposure of such data can lead to a cascade of security incidents, including unauthorized access to cloud resources, intellectual property theft, and the compromise of downstream applications and services. The attackers’ ability to selectively harvest files and profile users increases the likelihood of targeted attacks against high-value individuals or organizations.

Furthermore, the integration of spyware infrastructure and analytics SDKs creates a persistent surveillance capability within the developer’s environment. This not only undermines individual privacy but also poses systemic risks to the software supply chain, as compromised extensions can serve as vectors for broader attacks against interconnected systems and platforms.

The ongoing presence of these malicious extensions on the VSCode Marketplace, despite public disclosure and media coverage, highlights the challenges faced by platform providers in detecting and mitigating sophisticated supply chain threats. As of January 23, 2026, both identified extensions remained available for download, underscoring the need for enhanced security controls and user vigilance (BleepingComputer).

Note: All information in this report is derived from the latest available sources as of January 23, 2026, including BleepingComputer.

Final Thoughts

The saga of malicious AI extensions on the VSCode Marketplace is a wake-up call for developers and organizations alike. As AI-powered tools become more deeply woven into our workflows, attackers are exploiting both the technology and the trust we place in open marketplaces. The blend of real-time data theft, bulk file harvesting, and covert user profiling demonstrates a new level of sophistication in supply chain attacks (BleepingComputer).

For anyone relying on third-party extensions, this incident underscores the importance of scrutinizing permissions, monitoring network activity, and advocating for stronger marketplace oversight. As the boundaries between productivity and risk blur, staying informed and proactive is the best defense against the next wave of stealthy, AI-driven threats.

References

Related Articles