Cybersecurity researchers have unearthed two malicious Microsoft Visual Studio Code (VS Code) extensions, masquerading as sophisticated AI coding assistants, that secretly exfiltrate sensitive developer data to servers in China. These extensions, which collectively boast over 1.5 million installations and remain accessible on the official VS Code Marketplace, pose a significant threat to developer privacy and code security. The campaign, dubbed “MaliciousCorgi” by researchers at Koi Security, highlights the evolving landscape of AI security and the potential for AI-powered tools to be weaponized.
The compromised extensions are “ChatGPT – 中文版” (ID: whensunset.chatgpt-china) with 1,340,869 installs and “ChatGPT – ChatMoss(CodeMoss)” (ID: zhukunpeng.chat-moss) with 151,751 installs. According to Koi Security, these extensions function as advertised, offering features like code autocompletion and error explanation. However, beneath this veneer of utility lies malicious code designed to surreptitiously capture and transmit every opened file and source code modification to Chinese servers without the user’s knowledge or consent.
Malicious VS Code Extensions Steal Developer Data
Researchers discovered that both extensions contain identical malicious code, utilizing the same spyware infrastructure under different publisher identities. This dual-use nature makes them particularly insidious, as they perform their stated functions effectively, thereby reducing suspicion among users. The covert operations involve reading the content of all opened files, encoding it in Base64 format, and transmitting it to a server located at “aihao123[.]cn.” This data exfiltration is reportedly triggered with every file edit.
Furthermore, the extensions possess a real-time monitoring capability that can be remotely activated. This feature allows for the exfiltration of up to 50 files from a user’s workspace. Adding another layer to the data-gathering operation, a hidden, zero-pixel iframe within the extension’s web view loads four commercial analytics Software Development Kits (SDKs): Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics. These well-known Chinese data analytics platforms can be used to fingerprint devices and create comprehensive user profiles.
PackageGate Vulnerabilities Expose JavaScript Package Managers
The discovery of the malicious VS Code extensions follows the earlier disclosure of six zero-day vulnerabilities found in popular JavaScript package managers. These flaws, collectively named “PackageGate,” were identified by supply chain security firm Koi Security and could be exploited to bypass security controls designed to prevent the automatic execution of lifecycle scripts during package installation. Package managers such as npm, pnpm, vlt, and Bun were affected.
Defenses like disabling lifecycle scripts using the “–ignore-scripts” flag and committing lockfiles (e.g., “package-lock.json”) are critical in combating supply chain attacks. These measures are essential, especially in light of past incidents like “Shai-Hulud,” which leveraged postinstall scripts to spread malware, hijack npm tokens, and publish compromised package versions to registries. However, Koi Security found that the PackageGate vulnerabilities allow attackers to circumvent these protections in the aforementioned package managers.
Following responsible disclosure practices, vulnerabilities have since been patched in pnpm (version 10.26.0), vlt (version 1.0.0-rc.10), and Bun (version 1.3.5). Pnpm is tracking two of these vulnerabilities as CVE-2025-69264 (CVSS score: 8.8) and CVE-2025-69263 (CVSS score: 7.5), indicating high severity. In contrast to the other developers, npm has opted not to fix the reported vulnerability, citing user responsibility for vetting installed packages.
A GitHub spokesperson, whose company owns npm, stated that they are actively working to address the issue, noting that npm already scans the registry for malware. The company emphasized that the behavior related to “prepare” scripts in git dependencies is intentional and functions as designed, meaning users installing from git repositories are implicitly trusting the entire contents of that repository. GitHub recommends adopting trusted publishing practices and utilizing granular access tokens with enforced two-factor authentication (2FA) to bolster software supply chain security. Notably, GitHub has deprecated legacy classic tokens and implemented stricter policies for granular tokens and 2FA bypasses.
While the advice to disable scripts and commit lockfiles remains valuable, security researchers caution that it is not a complete solution. Until the PackageGate vulnerabilities are fully remediated across all affected platforms, organizations must make informed decisions about their risk tolerance and implement additional layers of defense to protect their development pipelines from supply chain threats.