Cybersecurity researchers have uncovered a malicious Visual Studio Code extension that impersonated Moltbot, previously known as Clawdbot, and secretly installed malware on developer systems. The fake extension was distributed through Microsoft’s official VS Code Marketplace and falsely advertised itself as a free AI powered coding assistant.
The extension, listed as “ClawdBot Agent, AI Coding Assistant” with the identifier clawdbot.clawdbot-agent, was published on January 27, 2026 by an account named “clawdbot”. Microsoft has since removed it from the marketplace after confirmation of malicious activity.
Abuse of Moltbot’s Growing Popularity
Moltbot has gained significant attention within the developer community, surpassing 85,000 GitHub stars. Created by Austrian developer Peter Steinberger, the open source project enables users to run a personal AI assistant locally and interact with it through platforms such as WhatsApp, Telegram, Slack, Discord, Signal, iMessage, Microsoft Teams, and Google Chat.
A critical detail is that Moltbot does not offer any official VS Code extension. Threat actors exploited this gap by publishing a convincing fake extension, targeting developers searching for Moltbot related tools.
How the Malware Operates
Once installed, the malicious extension automatically executes each time VS Code launches. It retrieves a remote configuration file named config.json from an external server and then runs a binary called Code.exe. This executable installs a legitimate remote access tool, ConnectWise ScreenConnect, giving attackers persistent control over the infected system.
After installation, the malware connects to a remote server at meeting.bulletmailer[.]net:8041, allowing unauthorized remote access. According to security researchers, the attackers operated their own ScreenConnect relay infrastructure and delivered pre configured client installers through the extension.
Multiple Fallback Payload Delivery Methods
To ensure reliability, the attackers implemented several backup mechanisms. If the primary server is unreachable, the extension retrieves a malicious DLL named DWrite.dll, written in Rust, and sideloads it to fetch the payload from Dropbox.
Further analysis revealed that Code.exe loads the malicious DLL through DLL sideloading when both files exist in the same directory. Additional hard coded URLs and batch scripts were also embedded in the extension to download payloads from alternate domains such as darkgptprivate[.]com.
Broader Security Risks Linked to Moltbot
Separately, security researchers identified hundreds of exposed Moltbot instances online due to reverse proxy misconfigurations. These issues allowed unauthenticated access to sensitive data, including API keys, OAuth credentials, configuration files, and private chat histories.
The problem stems from Moltbot’s design, which automatically trusts local connections. When deployed behind misconfigured reverse proxies, external internet traffic is mistakenly treated as trusted local access.
Because Moltbot agents can send messages on behalf of users and execute commands across multiple communication platforms, attackers could impersonate users, inject messages, alter responses, and exfiltrate sensitive data. There is also a risk of supply chain attacks through malicious skills distributed via MoltHub.
Industry Warnings and Expert Insights
Security firms including Intruder, 1Password, Hudson Rock, and Token Security have raised concerns about Moltbot’s default security posture. Experts highlight the lack of enforced firewall rules, credential validation, plugin sandboxing, and secure storage practices.
Token Security reported that over 22 percent of its customers have employees actively using Moltbot. The platform stores credentials and long term memory in plaintext, making it a high value target for infostealer malware.
1Password warned that modern infostealers can quickly extract API keys, tokens, logs, and conversation history stored in known directories. Hudson Rock also observed malware families like RedLine, Lumma, and Vidar adapting to specifically target Moltbot data structures.
Researchers describe this threat as more than data theft, calling it Agent Hijacking and Cognitive Context Theft, where attackers can poison agent memory and manipulate AI driven workflows.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
