Cybersecurity researchers have discovered two malicious Microsoft Visual Studio Code (VS Code) extensions that are advertised as artificial intelligence (AI)-powered coding assistants, but also have secret capabilities that siphon developer data to servers based in China.
These extensions have been installed a total of 1.5 million times and are still available for download from the official Visual Studio Marketplace. Listed below.
ChatGPT – Chinese version (ID: whensunset.chatgpt-china) – 1,340,869 installations ChatGPT – ChatMoss (CodeMoss) (ID: zhukunpeng.chat-moss) – 151,751 installations
Koi Security says these extensions are functional and work as expected, but they also capture every file opened and every source code change made to servers located in China, without the user’s knowledge or consent. The code name for this campaign is MaliciousCorgi.
“Both contain the same malicious code and are running the same spyware infrastructure under different publisher names,” said security researcher Tubal Admoni.
What makes this activity especially dangerous is that the extension works as advertised, providing autocomplete suggestions and explaining coding errors to avoid raising red flags and reduce user suspicion.
At the same time, the embedded malicious code is designed to read the entire contents of all opened files, encode them in Base64 format, and send them to a server located in China (‘aihao123’)[.]cn”). This process is triggered on every edit.
The extension also includes a real-time monitoring feature that can be triggered remotely by the server to exfiltrate up to 50 files in your workspace. The extension’s web view also has a hidden zero-pixel iframe that loads four commercial analytics software development kits (SDKs) to fingerprint the device and create extensive user profiles.
The four SDKs used are Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics, all leading data analytics platforms based in China.
PackageGate flaw affects JavaScript package manager
The disclosure comes after the supply chain security firm announced it had identified six zero-day vulnerabilities in JavaScript package managers including npm, pnpm, vlt, and Bun. These vulnerabilities can be exploited to defeat security controls put in place to skip automatic execution of lifecycle scripts during package installation. These defects are collectively known as PackageGate.
Defenses such as disabling lifecycle scripts (‘–ignore-scripts’) and committing lockfiles (‘package-lock.json’) have become important mechanisms to combat supply chain attacks. In particular, in the aftermath of Shai-Hulud, it leverages post-installation scripts to spread in a worm-like manner, hijacking npm tokens, and publishing malicious versions of packages in the registry.
However, Koi discovered that four package managers allowed him to bypass script execution and lock file integrity checks. After responsible disclosure, this issue has been resolved in pnpm (version 10.26.0), vlt (version 1.0.0-rc.10), and Bun (version 1.3.5). Pnpm is tracking these two vulnerabilities as CVE-2025-69264 (CVSS score: 8.8) and CVE-2025-69263 (CVSS score: 7.5).
However, Npm chose not to fix the vulnerability, stating that “users are responsible for scrutinizing the contents of the packages they choose to install.” Hacker News has reached out to npm/GitHub for further comment. I will update the article if I receive a response.
“The standard advice of disabling scripts and committing lock files is still worth following,” security researcher Oren Yomtov said. “But that’s not the whole picture. Until PackageGate is fully addressed, organizations will need to make their own informed choices about risk.”
Source link
