Cybersecurity researchers have uncovered two malicious Microsoft Visual Studio Code extensions that present themselves as AI-powered coding assistants but secretly collect and exfiltrate developers’ source code to servers based in China.
The extensions, which together have reached more than 1.5 million installs and remain available on the official Visual Studio Marketplace, are listed as ChatGPT – 中文版 and ChatGPT – ChatMoss (CodeMoss). Despite appearing legitimate, both extensions were found to contain hidden surveillance functionality.
According to Koi Security, the extensions perform their advertised features correctly, including code autocompletion and error explanations. However, they simultaneously monitor every file opened in the editor and capture all source code changes, transmitting this data to external servers without user awareness or consent. The operation has been named MaliciousCorgi.
Stealthy Data Exfiltration and User Tracking
Security researchers confirmed that both extensions contain identical malicious code operating under different publisher identities. Their effectiveness lies in their ability to function normally, which significantly reduces suspicion among users.
The embedded spyware reads the full contents of each opened file, encodes the data in Base64 format, and sends it to a remote server located in China. This process is triggered automatically with every code edit.
In addition, the extensions include a remote monitoring capability that allows attackers to command the exfiltration of up to 50 files from a developer’s workspace in real time. A concealed zero-pixel iframe embedded in the extension’s web view also loads multiple analytics SDKs to fingerprint devices and build detailed user profiles.
The analytics platforms involved include Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics, all of which are major China-based data analytics services.
PackageGate Vulnerabilities Expose Supply Chain Risks
The discovery coincides with the identification of six zero-day vulnerabilities affecting JavaScript package managers such as npm, pnpm, vlt, and Bun. These flaws, collectively named PackageGate, allow attackers to bypass protections designed to prevent the automatic execution of lifecycle scripts during package installation.
Security controls like disabling install scripts and enforcing lockfiles have become critical defenses against supply chain attacks, particularly after recent malware campaigns abused post-install scripts to spread malicious packages.
Koi Security reported that these safeguards can still be circumvented across multiple package managers. Following responsible disclosure, fixes have been released for pnpm, vlt, and Bun. Two of the vulnerabilities tracked in pnpm have been assigned CVE identifiers with high severity scores.
Npm has stated that it does not plan to issue a fix, emphasizing that users are responsible for evaluating the safety of packages they install. GitHub has acknowledged the issue and said it continues to actively scan the registry for malicious activity.
Ongoing Supply Chain Security Challenges
GitHub has also reiterated its push for stronger supply chain protections, including trusted publishing, granular access tokens, and mandatory two-factor authentication. Recent changes include deprecating legacy tokens, shortening token lifetimes, and removing the option to bypass 2FA during local package publishing.
Security experts warn that while existing best practices remain important, they are not sufficient on their own. Until PackageGate-related weaknesses are fully mitigated, organizations must carefully assess the risks associated with third-party dependencies and development tools.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
