VSCode Extensions With 1.5M Installs Exfiltrate Code to China

Two malicious extensions on Microsoft's Visual Studio Code Marketplace have been quietly exfiltrating developer source code and credentials to servers in China. Combined, the extensions have over 1.5 million installations.

Security researchers at Koi identified the campaign, which they've dubbed "MaliciousCorgi." Unlike the GlassWorm attacks targeting macOS developers via Open VSX, these extensions operated directly within Microsoft's official marketplace, exploiting the trust developers place in the platform.

The Extensions

ChatGPT – 中文版 (publisher: WhenSunset) - 1.34 million installs ChatMoss/CodeMoss (publisher: zhukunpeng) - 150,000 installs

Both extensions advertise themselves as AI-powered coding assistants, and they actually deliver that functionality. The legitimate features masked the data theft happening underneath.

How the Theft Works

Koi researchers identified three distinct data collection mechanisms operating simultaneously:

Real-time file monitoring: "The moment you open any file—not interact with it, just open it—the extension reads its entire contents, encodes it as Base64, and sends it to a webview" containing a hidden tracking iframe. Simply opening a file triggers exfiltration.

Server-controlled harvesting: On command, the extensions can exfiltrate up to 50 files from a victim's workspace per activation. This allows targeted theft of specific files like configuration files, .env files containing API keys, or source code from particular directories.

Behavioral profiling: Zero-pixel iframes load four commercial analytics SDKs—Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics—to track developer behavior, fingerprint devices, and monitor editor activity.

What Gets Stolen

The extensions target high-value data:

• Private source code (any file opened in the editor)
• Configuration files
• Cloud service credentials
• .env files containing API keys and secrets
• SSH keys and tokens

For developers working on proprietary software, the implications are severe. Source code represents intellectual property, and .env files often contain production credentials for cloud services, databases, and third-party APIs.

Broader Supply Chain Concerns

This discovery adds to a growing pattern. Earlier this month, we covered Chrome extensions stealing AI chatbot conversations and the Workday/NetSuite session hijacking campaign. Developers face supply chain risks from multiple directions.

ReversingLabs reported that malicious VSCode extension detections grew from 27 in 2024 to 105 in the first ten months of 2025—a nearly 4x increase. The trend line shows no sign of flattening.

Microsoft's marketplace review process clearly isn't catching sophisticated threats. Extensions can pass inspection with legitimate functionality while hiding data exfiltration in obfuscated code or analytics calls.

Recommendations

Organizations with developers should audit installed VSCode extensions immediately:

1. Remove the identified extensions - Uninstall ChatGPT – 中文版 and ChatMoss/CodeMoss from all developer workstations
2. Rotate compromised credentials - Assume any API keys or secrets in .env files may be compromised
3. Review extension permissions - Legitimate extensions rarely need broad file system access
4. Consider extension allowlists - Enterprise deployments can restrict which extensions developers install
5. Monitor for data exfiltration - Network monitoring should flag unusual Base64-encoded traffic to analytics domains

The MaliciousCorgi extensions demonstrate that installation counts and apparent legitimacy don't guarantee safety. With 1.5 million combined installations, these extensions were hiding in plain sight on a major platform for months.