A massive file harvesting campaign is ongoing, targeting VS Code developers. Over 1.5 million users have downloaded knock-off extensions that function like AI coding assistants but are also bristling with spyware.
KOI Security researchers warn that searching for the “ChatGPT” extension on the VS Code Marketplace too often leads to spyware infections.
Over 1.5 million developers have already installed two extensions that mimic AI assistants and actually deliver the promised functionality. However, they take longer than any user might expect.
“These extensions actually work. That's what makes them dangerous,” KOI Security said in a report on AI extensions leaking data from developers.
“Both are marketed as AI coding assistants. Both are functional. Both contain identical malicious code – the same spyware infrastructure running under different publisher names.”
One of the extensions, called “ChatGPT - 中文版,” has 1.35 million installs. Another AI tool, “ChatGPT - ChatMoss,” has attracted 150,000 users.
Not only are both extensions still available on the VS Code marketplace at the time of writing, but they also appear among the top results when searching for ChatGPT. There are also many more dubious knockoffs, wrappers, and alternatives.
What’s wrong with the two extensions?
They capture every file the users open, every edit they make, and send the data to servers in China.
“No consent. No disclosure,” the KOI researchers said.
“Both contain identical malicious code – the same spyware infrastructure running under different publisher names.”
Malicious behavior
The researchers argue that it is normal for some AI extensions to read part of the developers’ code. For example, GitHub Copilot reads about 20 lines of context around the cursor to provide autocomplete suggestions.
The fake “ChatGPTs” were found to secretly beam the entire contents of each file when opened. To stay undetected, the extension encodes content using Base64 and sends it to a webview that contains a hidden tracking iframe.
They can also collect files at any time without any user interaction – the remote server can trigger the mass exfiltration of up to 50 files at a time without the user seeing anything.
“When the server sends {"type": "getFilesList"}, the extension triggers a full workspace harvest,” the researchers found.
But there is also another profiling channel for harvesting user data. Completely invisible iframes load four separate analytics platforms – Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics, which are designed to track user behavior, build identity profiles, fingerprint devices, and monitor every interaction.
“Why collect all this metadata alongside your source code? One possibility: targeting,” the report reads.
“Analytics tells them whose files are worth taking – and when you're most active, profiling first, exfiltration second.”
The report warns developers that their environment files containing API keys, passwords, and other credentials and sensitive data may already have been compromised.
“AI coding assistants are everywhere,” the researchers warn.
“We install them without a second thought. They're in the official marketplace. They have thousands of reviews. They work. So we grant them access to our workspaces, our files, our keystrokes – and assume they're only using that access to help us code. Not all of them are.”
The researchers dubbed this spyware campaign MaliciousCorgi.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked