MaliciousCorgi: Two VS Code AI Extensions Steal Developer Data

Two Visual Studio Code extensions posing as helpful AI coding assistants have been linked to mass data theft that may have affected more than 1.5 million installs, with researchers saying the add-ons quietly uploaded whole files and workspace data to attacker-controlled servers in China.

Background / Overview​

Security researchers at Koi Security analyzed a pair of VS Code Marketplace extensions that delivered the promised AI features while simultaneously performing undisclosed data collection and exfiltration. The two listings reported in public reporting are ChatGPT – 中文版 (published by WhenSunset, ~1.34 million installs) and ChatMoss (CodeMoss) (published by zhukunpeng, ~150k installs). Koi and follow-up coverage say both plug-ins share the saucture and were observed sending harvested data to the same backend servers.
At a technical level, the researchers describe the campaign as MaliciousCorgi: a set of extensions that behave as functional AI assistants to lower suspicion, but incorporate three distinms that combined make the operation particularly dangerous for developers and organizations. The story surfaced publicly in late January 2026 and attracted rapid coverage from security outlets.

---

How the extensions worked: a technical breakdown​

These extensions were not trivial adware or simple telemetry collectors. According to the published analysis, the malicious behavior is deliberate, multi-modal, and designed to be stealthy.

1. Real-time file monitoring and exfiltration​

• The extension monitors files as soon as they are opened in the VS Code editor.
• It reads the entire file contents, encodes them in Base64, and sends that blob into a hidden webvracking iframe—effectively siphoning whole source files the moment a developer opens them.
• The behavior captures not just small snippets but full files (not “20 lines” or partial context), including configuration files, .env files, private keys, and credentials if present.

2. Server-controlled bulk harvests​

• A second mechanism lets the attacker issue a remote command that instructs the extension to stealthily exfiltrate up to 50 files from the victim’s active workspace at once.
• This is a server-driven capability, meaning the attacker can request broad grabs of a developer’s project files, not just what the user has opened.

3. Hidden analytics SDKs and telemetry-based profiling​

• The extensions used a zero-pixel iframe inside the webview to load commercial analytics SDKs (reported examples include Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics).
• Those SDKs can finfile user behavior, and build persistent identifiers that link activity across sessions and machines—turning file theft into an identity-rich dataset that can be correlated with other telemetry. ([bleepingcomputer.com](Malicious AI extensions on VSCode Marketplace steal developer data

Taken together, these mechanisms move beyond opportunistic scraping and toward targeted intellectual property and credential theft at scale: whole files, workspace artifacts, tokens encoded in URLs or environment files, and behavior telemetry that aids re-identification and prioritization of high-value victims.

---

Why this matters: risk vectcomes​

The practical consequences are severe for individual developers and organizations.

• Source code and IP theft: full files were sent off-host. That can expose proprde secrets, and unredacted customer data contained in code or configuration.
• Credential and secret exposure: leaked .env files, API keys, SSH keys, and cloud credentials enable unauthorized access, lateral movement, and supply-chain abuse.
• Token-based account takeover: URLs and query strings can contain session toentials; harvesting full tab URLs makes token theft possible.
• Targeted phishing and social engineering: conversation and behavior telemetry allow attackers to craft convincing spear-phishing or business-email-compromise messages.
• Commercialization and resale of captured data: the presence of analytics SDKs and opaque privacy-policy language raises the believable risk that harvested data could be monetized or sold to third parties—though concrete evidence of downstream buyers may be incomplete in public reporting and should be treated cautiously.

Independent news and follow-up reporting confirm the core mechanics and install counts reported by Koi: major security outlets documented the exfiltration pathways and the reported combined install base of roughly 1.5 million users for the two malicious VS Code extensions.

---

Marketplace and review failures: how did these listings get so far?​

The incident exposes systemic weaknesses in extension and marketplace vetting:

• Runtime-only behavior: the most damaging behavior triggers only when specific runtime conditions are met (opening a file in the editor; responding to a server command), which makes static listing reviews insufficient to detect the malicious code path. Koi's analysis shows the exfiltration happens in live contexts rather than being present as an obvious manifest permission alone.
• Trust sng: in parallel incidents involving browser extensions, researchers found “Featured” badges and large install counts on extensions later found to be exfiltrating AI chat data—underlininnals are not guarantees of safety. The same pattern applies across extension ecosystems.
• Auto-update and publisher strategies: previous campaigns have demonstrated how auto-updates and cross-listing can convert a benign-looking extension into a surveillance tool without users reconsenting. The MaliciousCorgi campaign leverages similar dynamics: legitimate functionality plus hidden exfiltration.

These structural gaps—static review, limited runtime analysis, and overreliance on badges—make extension ecosystems attractive supply chains for scalable espionage and data harvesting.

---

Corroboration and independent context​

This is not an isolated class of failure. Over the last 18 months security researchers documented multiple large-scale extension and marketplace campaigns that used similar techniques to harvest sensitive data or deliver infostealers to developer systems. Notable examples include:

• The “Glassworm” campaign, which targeted VS Code–compatible marketplaces and used obfuscation and downloader payloads and plant loaders.
• Large families of browser extensions that harvested AI chat cossions at scale, with combined installs in the millions—demonstrating the same operational pattern (executor scripts, API hooking, background exfiltration, and misuse of telemetry/analytics).

Together, these incidents illustrate a recurring playbook: build trust with a useful product, request broad runtime permissions, then introduce malicious behavior that activates only in specific page or runtime contexts.

---

What we can verify and what remains uncertain​

• Verified and well-supported:
• Koi Security’s technical description of the three exfiltration mechanisms and the code artifacts showing file reads and webview-based upload behavior.
• Public install counters for the two marketplace listings that show the large user base reime.
• The presence of third-party analytics SDKs embedded in the extensions’ webviews (Zhuge.io, GrowingIO, TalkingData, Baidu Analytics) as part of the telemetchain.
• Claims requiring caution:
• Whether captured data was actively sold to specific third parties or data brokers. Koi’s reporting and the extensions’ privacy policy language suggest sharing with affiliated analytics partners, but public forensic confirmation of downstream buyers is not yet exhaustively documented—treat claims of sales as plausible but not fully proven by public evidence.
• The absolute number of actively compromised developer machines: public install tallies are an imperfect proxy because they include inactive installs, synced devices, and multi-profile counts. Forensically precise infection counts require telemetry from targeted networks or coordinated EDR/endpoint investigations.

---

Practical remediation: an urgent checklist for Windows users and IT teams​

If you or your organization installed one of these extensions—or any untrusted VS Code extension that requests broad access—assume potential compromise and actg steps are prioritized and practical.

Immediate steps for individual developers (do these now)​

• Open VS Code and remove/uninstall any suspicious or untrusted extensions—search for names that match the alerts and for unknown publishers.
• Rotate exposed secrets: revoke andvice tokens, and SSH keys that may have been present on the device or in open files while the extension was installed.
• Change passwords for critical accounts used on the device and enable multi-factor authentication (MFA) where available.
• Scan your machine with reputable endpoint protection and check for other signs of compromise (unexpected processes, scheduled tasks, new services).
• Review recent projects and chat history for any pasted secrets you may have used during the exposure window; treat those items as compromised and rotate them.

Short-term actions for IT and security teams​

• Implement an immediate extension inventory: identify endpoints with the suspect extensions for extension IDs, publisher names, and file hashes. Koi published extension identifiers that can be used as IoCs.
• Use Group Policy, Microsoft Intune, or browser/IDE management tools to enforce a default-deny policy for extensions and allowlist only approved, vetted add-ons.
• Hunt in EDR, proxy logs, and network telemetry for outbound connections to the IoCs reported in research and block those domains at the network perimeter while you investigate.
• keys, service credentials, or tokens that may have been posted into development files or AI chats by employees on affected hosts.
• Conduct a focused forensics sweep on high-value developer machines and CI/build agents: these hosts are high-priority because they have keys, deployment credentials, and access to source repositories.

Medium-term controls​

• Restrict extension installation via policy and require administrative approval for new extensions.
• Add telemetry and alerts for anomalous file reads by extension processes (e.g., large Base64 encodes or sudden network uploads originating from IDE processes).
• Educate developers on the risks of runsions on corporate devices and the need to keep sensitive work off unmanaged tools and personal profiles.

---

Defensive architecture and marketplace responsibilities​

These incidents should prompt marketplace operators and platform owners to recali enforcement models:

• Mandatory runtime analysis: marketplaces should require dynamic behavioral testing (sandboxed execution with simulated user actions) for extensions requesting broad host or file access.
• Prominent consent: if an extension collects AI inputs/outputs or full-file data, the install-time consent screen must clearly state what will be collected, where it will be sent, and whether it may be shared with third parties—buried privacy-policy language is insufficient.
• Faster takedowns and publisher accountability: market operators must act rapidly on high-confidence abuse reports, force-push updates that remove malie publisher verification metadata so customers can make informed decisions.

Regulators and enterprise buyers should also consider tighter procurement rules: mandate security reviews of developer tools, require vendor attestations about telemetry and data handling, and treat unmanaged extensions as a supply-chain risk that deserves explicit contractual controls.

---

Critical assessment: strengths and blind spots in the reporting​

What the reporting does well:

• The technical analyses (Koi’ndent outlet coverage) provide reproducible evidence of file reads, Base64 uploads, and server-directed bulk exfiltration—these are concrete, verifiable behaviors described in code snippets and telemetry.
• Multiple independent outlets corroborated the install counts andtics SDKs, increasing confidence that the behavior was not a single-researcher false positive.

Where caution is warranted:

• Public reporting reasonably uses store install counters as a proxy for exposure; however, these numbers are not precise forensic counts of compromised endpoints. Organizations must conduct internal scans rather than relying solely on headline numbers.
• Assertions about sales of harvested data to named brokers are plausible given privacy-policy language, but the chain of custody for such sales is not always visible in open reporting. Treat monetization claims as plausible leads pending forensic or legal confirmation.

---

Longer-term implications for developers and enterprises​

This incident underscores a growing reality: developer tooling ecosysrgets because they provide access to high-value artifacts (source code, tokens, deployment scripts). The ease of publishing extensions coupled with automatic updates creates a powerful attack surface for both opportunistic criminals and state-level actors seeking IP or credentials.
Enterprises must update their threat models to consider the IDE and extension layer as part of their attack surface. That means:

• Applying the same rigour to developer tool procurement as to third-party cloud services.
• Treating any tool that can read or upload files as a high-risk component that requires explicit approvals, scanning, and runtime isolation.
• Investing in telemetry that correlates IDE activity with network egress and data-access patterns so suspicious uploads are detected early.

---

Conclusion​

The MaliciousCorgi case—two VS Code Marketplace extensions that functioned as working AI assistants while exfiltrating full files and workspace artifacts—is a stark reminder that convenience and trust signals are not substitutes for runtime security. The techniques used (real-time file reads, server-controlled bulk theft, and embedded analytics SDKs) are efficient and stealthy, and they target precisely the assets developers and organizations most want to protect: source code, credentials, and deployment artifacts.
For individuals, the immediate priorities are removal, credential rotation, and cautious incident response. For enterprises and marketplace operators, the incident demands stronger runtime analysis, policy-driven extension management, and faster enforcement to prevent high-scale data harvesting from becoming an endemic problem. Until marketplaces and customers bridge the verification gap, developers should assume that any unvetted extension that can read files is a potential vector for data loss—and act accordingly.

---

Source: TechRadar Malicious Microsoft AI extensions might have hit over 1.5 million users