Two malicious extensions in Microsoft’s Visual Studio Code (VSCode) Marketplace that were collectively installed 1.5 million times exfiltrate developer data to China-based servers.
Both extensions are advertised as AI-based coding assistants that provide the promised functionality. However, they do not disclose the upload activity or ask users for consent to deliver data to a remote server.
The VS Code Marketplace is the official store for add-ons for Microsoft’s popular code editor. VS Code extensions are installable plugins from the marketplace that add features or integrate tools into the editor. One of the most popular add-on categories right now is AI-powered coding assistants.
Researchers at endpoint and supply-chain security company Koi say that the two malicious extensions are part of a campaign they dubbed 'MaliciousCorgi' and share the same code for stealing developer data.
Additionally, both of them use the same spyware infrastructure and communicate with the same backend servers. At publishing time, both are present on the marketplace:
ChatGPT – 中文版 (publisher: WhenSunset, 1.34 million installs)
ChatMoss (CodeMoss) (publisher: zhukunpeng, 150k installs)
Malicious extension on the VSCode marketplace
Source: BleepingComputer
The extensions use three distinct data-collection mechanisms. The first involves real-time monitoring of files opened in the VS Code client. When a file is accessed, its entire contents are encoded in Base64 and transmitted to the attackers’ servers.
... continue reading