Cybersecurity researchers have flagged a new malicious Microsoft Visual Studio Code (VS Code) extension for Moltbot (formerly known as Clawdbot) on the official extension marketplace. The extension claims to be a free artificial intelligence (AI) coding assistant, but it secretly drops a malicious payload on compromised hosts.
The extension was named “ClawdBot Agent – AIcoding Assistant” (“clawdbot.clawdbot-agent”) and has since been removed by Microsoft. It was published on January 27, 2026 by a user named ‘clawdbot’.
Moltbot has grown significantly and has over 85,000 stars on GitHub at the time of writing. Created by Austrian developer Peter Steinberger, this open-source project allows users to run a personal AI assistant powered by large-scale language models (LLM) locally on their device and interact with it through existing communication platforms such as WhatsApp, Telegram, Slack, Discord, Google Chat, Signal, iMessage, Microsoft Teams, and WebChat.
The most important thing to note here is that Moltbot does not have a genuine VS Code extension. This means that the attackers behind the operation tried to take advantage of the tool’s growing popularity to trick unsuspecting developers into installing it.
This malicious extension is designed to run automatically every time the integrated development environment (IDE) is launched and secretly retrieve a file named “config.json” from an external server (“clawdbot.getintwopc”).[.]site”) to run a binary named “Code.exe” that deploys legitimate remote desktop programs such as ConnectWise ScreenConnect.
The application then connects to the URL “meeting.bulletmailer”.[.]net:8041” allows the attacker persistent remote access to the compromised host.
“The attacker set up their own ScreenConnect relay server, generated a preconfigured client installer, and distributed it through a VS Code extension,” said Aikido researcher Charlie Eriksen. “Once a victim installs the extension, they receive a fully functional ScreenConnect client that instantly makes calls to the attacker’s infrastructure.”
Additionally, the extension includes a fallback mechanism that retrieves the DLLs listed in “config.json” and sideloads them to retrieve the same payload from Dropbox. A DLL (‘DWrite.dll’) written in Rust ensures that ScreenConnect clients are delivered even if the command and control (C2) infrastructure becomes inaccessible.
This is not the only backup mechanism built into the extension for payload delivery. The fake Moltbot extension also embeds a hard-coded URL to retrieve the executable file and sideloaded DLLs. The second alternative uses a batch script to retrieve the payload from another domain (‘darkgptprivate’).[.]com”).
Moltbot security risks
The disclosure comes after security researcher and Dvuln founder Jamison O’Reilly discovered hundreds of unauthorized Moltbot instances online, exposing configuration data, API keys, OAuth credentials, and private chat conversation history to unauthorized parties.
“The real issue is that Clawdbot agents have power of attorney,” O’Reilly explained. “You can send messages on behalf of users in Telegram, Slack, Discord, Signal, and WhatsApp. You can run tools and execute commands.”
This opens the door to scenarios where attackers can impersonate operators and access contacts, inject messages into ongoing conversations, modify agent responses, and exfiltrate sensitive data without their knowledge. More importantly, attackers can distribute backdoor Moltbot “skills” via MoltHub (formerly known as ClawdHub) to perform supply chain attacks and siphon sensitive data.
Intruder said in a similar analysis that it observed widespread misconfigurations leading to credential leaks, prompt injection vulnerabilities, and compromised instances across multiple cloud providers.
“The core problem lies in the architecture: Clawdbot prioritizes ease of deployment over a secure configuration by default,” Intruder security engineer Benjamin Marr said in a statement. “Non-technical users can launch instances and integrate sensitive services without encountering security friction or validation. There are no mandatory firewall requirements, credential validation, and sandboxing of untrusted plugins.”
We recommend that users running Clawdbot in the default configuration audit their configuration, revoke all connected service integrations, review exposed credentials, implement network controls, and monitor for indicators of compromise.
Source link
