Malicious VSCode AI Extensions: How “ChatGPT – 中文版” and “ChatMoss” Allegedly Exfiltrated Data From Over 1.5 Million Installs

VSCode Marketplace Malicious Extensions and the 1.5 Million Install Risk

Two extensions on Microsoft’s Visual Studio Code (VSCode) Marketplace were flagged by security researchers for allegedly exfiltrating sensitive data to servers in China. The add-ons were positioned as AI coding assistants and, importantly, did function as promised by giving users a convenient way to access a generative AI tool while coding.

But alongside that legitimate functionality, the extensions were also described as quietly uploading user data to a third-party server without user disclosure. Combined, the two extensions reportedly exceeded 1.5 million installs, raising the concern that a large number of developers and organizations could have had source code or other sensitive files exposed.

Extensions Identified: ChatGPT – 中文版 and ChatMoss (CodeMoss)

Security researchers at Koi Security said they identified the following VSCode Marketplace add-ons as part of the activity:

ChatGPT – 中文版 (Publisher: WhenSunset)

This extension reportedly had 1.34 million installs. It was presented as a way to access an AI assistant directly inside VSCode, which makes it easy to see why developers would install it: fewer tabs, faster workflows, and “help” right where you write code.

ChatMoss (CodeMoss) (Publisher: zhukunpeng)

This extension reportedly had about 150,000 installs. Like the other extension, it was framed as an AI-based coding helper, blending in with the flood of AI developer tools that all promise the same thing: speed and convenience.

MaliciousCorgi Campaign Attribution

Koi Security said both extensions were part of a campaign they referred to as “MaliciousCorgi,” and that both were sending stolen data to the same server.

What Data Exfiltration Looked Like Inside VSCode

The researchers described three distinct mechanisms used to siphon data out of the VSCode environment. And this is the part that should make your stomach drop a bit, because it’s not just “telemetry” or “usage stats.” It’s file content.

Real-Time File Monitoring and Base64 Exfiltration

The first method described is real-time monitoring of files opened in the VSCode client. The claim is blunt: simply opening a file triggered the extension to read its contents, encode the contents in Base64, and relay it onward via a webview containing a hidden tracking iframe.

Koi Security’s description emphasizes that it wasn’t limited to snippets or partial reads—opening the file alone was enough to transmit the entire file contents.

Server-Controlled Command to Steal Workspace Files

The second mechanism described is even more direct: a server-controlled command that could stealthily send up to 50 files from the victim’s workspace.

That detail matters because it implies the behavior wasn’t only reactive (you open a file, it leaks). It could also be orchestrated remotely, pulling a batch of files from a project workspace—exactly where source code, configuration files, API keys, internal notes, and credentials too often live.

Hidden Zero-Pixel Iframe Loading Analytics SDKs

The third mechanism described involves a zero-pixel iframe embedded in the extension’s webview. The researchers said commercial analytics SDKs were loaded through it to track user behavior, build identity profiles, and monitor other activity.

In plain English: not only could code and files be exposed, but user activity could be observed and correlated in ways that help profile who you are and what you’re working on.

Why “AI Coding Assistant” Extensions Are High-Trust, High-Risk

These extensions weren’t pitched as niche tools. They were pitched as assistants—tools you keep open all day, every day, with access to your workspace.

And that’s the uncomfortable truth about editor extensions: once you install one, you’re giving it a foothold in the place where your most valuable assets sit in plain text. Source code. Infrastructure files. Client projects. Sometimes secrets. Often enough to cause real damage.

When an extension can observe opened files, access a workspace, and run commands, the gap between “helpful” and “harmful” gets dangerously thin.

Marketplace Exposure: Availability and Ongoing Investigation

The report states that Microsoft told BleepingComputer it was looking into the situation, while also noting that the add-ons were still available for download at the time of the report.

That combination—active investigation, but continued availability—highlights the practical risk window: installs can keep growing while the public is still piecing together what’s happening.

Q&A: Malicious VSCode Extensions and Developer Safety

Q1: Which VSCode extensions were accused of exfiltrating data in this report?

The report names two: ChatGPT – 中文版 and ChatMoss (CodeMoss). Both were described as AI coding assistant extensions that also allegedly uploaded sensitive data to a third-party server in China.

Q2: How did the extensions allegedly steal data from users?

The researchers described three methods: real-time monitoring of opened files (encoding contents in Base64 and relaying them through a hidden tracking iframe), a server-controlled command capable of sending up to 50 workspace files, and a zero-pixel iframe used to load analytics SDKs for tracking behavior and building identity profiles.

Q3: Why is a VSCode Marketplace extension so dangerous if it turns malicious?

Because a VSCode extension can operate inside the environment where developers store and open sensitive materials—source code, project files, and workspace data—making it a high-trust channel with potential access to highly valuable information.