Two popular VS Code extensions that looked perfectly legitimate just pulled off one of the most sophisticated supply chain attacks I've investigated. And if you're a developer, there's a decent chance you were affected.

The numbers are staggering: 1.5 million combined installations. Both extensions worked flawlessly, providing AI-powered coding assistance exactly as advertised. That's what made them so dangerous.

While you typed away building your next feature, these extensions were quietly harvesting every file you opened, every keystroke you made, and transmitting everything to servers in China. No warnings. No consent dialogs. Just silent, systematic theft.

Let me walk you through what actually happened, because this isn't just another cautionary tale. It's a blueprint of how modern supply chain attacks work, and why your development environment might be the weakest link in your security posture.

The Perfect Cover: Extensions That Actually Work

Here's what makes the MaliciousCorgi campaign (named by security researchers at Koi Security) genuinely terrifying: both extensions delivered real value.​

Install ChatGPT — 中文版 or ChatMoss, and you'd get legitimate AI-powered code suggestions. Ask a question about your code, and you'd receive helpful, accurate responses. The autocomplete worked. The error explanations made sense. Everything functioned exactly as a modern AI coding assistant should.

This wasn't some sloppy malware operation that crashed your IDE or filled your screen with pop-ups. The attackers understood something fundamental: functionality equals trust. When a tool does what it promises, developers stop asking questions.​

None
The two malicious VS Code extensions collectively reached 1.5 million installations before discovery, with ChatGPT — 中文版 accounting for the vast majority

Both extensions passed Microsoft's marketplace review process. They accumulated over a million downloads. They sat in plain sight on the official VS Code Marketplace for months, collecting five-star reviews from satisfied users who had no idea they were running spyware.

Three Hidden Channels, One Devastating Attack

While the extensions provided their advertised AI features, three parallel data collection mechanisms ran silently in the background. Think of them as different extraction wells, all drilling into your development environment from different angles.

Channel 1: Real-Time File Surveillance

The moment you opened any file in VS Code, not edited it, not saved it, just opened it, the extension read the entire contents, encoded it in Base64, and transmitted it to a hidden tracking iframe.

Normal AI autocomplete needs about 20 lines of context around your cursor. These extensions grabbed everything. Every file. Every time. And it happened on every single edit through the onDidChangeTextDocument event.​

Your proprietary algorithms? Captured. That API integration you've been building for weeks? Exfiltrated. The comments you left for your future self about the hacky workaround? All transmitted to servers you never authorized.

Channel 2: Server-Controlled Harvesting

The extensions maintained a command-and-control channel waiting for instructions. When the server sent a simple JSON command, {"type": "getFilesList"}, the extension would harvest up to 50 files from your workspace and transmit them in bulk.

This wasn't random grabbing. The system was selective, targeting everything except images. Configuration files with database credentials. .env files packed with API keys. AWS access tokens. SSH private keys. Everything a sophisticated attacker needs to pivot from code theft to infrastructure compromise.

And you'd see absolutely nothing. No progress bars, no notifications, no indication that your entire project was being methodically exfiltrated.​

Channel 3: The Profiling Engine

While the first two channels stole your work, the third channel profiled you.​

Embedded in the extension's webview was a zero-pixel iframe, completely invisible, that loaded four commercial Chinese analytics platforms: Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics.

These weren't simple visitor counters. These are enterprise-grade analytics systems designed to build comprehensive user profiles. They tracked your identity, your location, your company, which projects you spent the most time on, your activity patterns throughout the day.

Why collect all this metadata alongside your source code? Targeting. The profiling engine told attackers whose files were actually worth stealing. If you worked at a major tech company or unicorn startup, your code got priority. If your activity patterns suggested you were a senior engineer working on core infrastructure, your workspace became high-value inventory.​

This is supply chain attack methodology applied at the developer level. First profile, then exfiltrate, then weaponize.

Why This Attack Succeeded (And What That Means For You)

AI coding assistants have fundamentally changed the trust model in developer tools. These extensions need broad access to function. They need to read your code to provide suggestions. They need to understand your project structure to give relevant answers.​

That legitimate functionality creates perfect camouflage for malicious behavior. How do you distinguish between an AI assistant reading 20 lines of context and one that's reading entire files? How do you tell the difference between helpful analytics and invasive profiling?​

You can't, at least not without specialized security tooling. And most developers don't run that tooling.

VS Code's marketplace employs multiple security measures: malware scanning with various antivirus engines, monitoring for unusual usage patterns, name squatting prevention, and extension signature verification. These extensions passed all of them.

Why? Because functional malware looks like legitimate software. The code worked. The behavior seemed plausible. The publishers appeared credible. There were no obvious red flags.​

This is the new reality: malicious extensions don't need to look suspicious anymore. They just need to work.

The Broader Pattern: Your IDE Is Now a Target

MaliciousCorgi isn't an isolated incident. It's part of an escalating pattern of attacks targeting developer environments.

In 2025 alone, Microsoft removed 110 malicious extensions from the VS Code Marketplace. The GlassWorm campaign compromised multiple OpenVSX extensions, turning them into self-propagating worms that stole credentials from GitHub, npm, and cryptocurrency wallets across 36,000 installations.

The Shai-Hulud worm attacked the npm ecosystem, compromising over 100 packages with self-replicating malware that harvested tokens and published itself to additional packages automatically. Its second version was even more aggressive: if it couldn't steal credentials, it attempted to destroy the victim's entire home directory.

Then came PackageGate: six zero-day vulnerabilities across npm, pnpm, vlt, and Bun that bypassed lockfile integrity checks and allowed automatic execution of malicious code. Pnpm patched two critical CVEs (CVE-2025–69263 and CVE-2025–69264). npm, now owned by Microsoft, closed the vulnerability report with "works as expected".

See the pattern? Attackers are systematically targeting every layer of the developer supply chain. Your package managers. Your IDE extensions. Your build tools. Anywhere that code flows through your development process is now considered viable attack surface.

And they're succeeding because these tools are designed for convenience, not security.

What You Should Do Right Now

If you're reading this and have VS Code installed, here's your immediate action plan:

Step 1: Check for the malicious extensions

Open VS Code and navigate to your Extensions panel. Search for:

  • ChatGPT — 中文版 (publisher: WhenSunset)
  • ChatMoss or CodeMoss (publisher: zhukunpeng)

If you find either one, uninstall immediately.

Step 2: Assume compromise

If you had either extension installed, treat every credential in your workspace as compromised. That means:​

  • Rotate all API keys and access tokens
  • Change database passwords
  • Regenerate SSH keys
  • Revoke and reissue cloud service credentials (AWS, GCP, Azure)
  • Review your cloud provider logs for unauthorized access over the past few months

Yes, this is painful. But it's significantly less painful than discovering months later that someone's been using your AWS credentials to mine cryptocurrency or that your proprietary algorithm showed up in a competitor's product.

Step 3: Audit your other extensions

How many extensions do you have installed? Do you remember installing all of them? Do you know what each one does?

Run through your extensions list. For each one, ask:

  • When was it last updated?
  • How many installations does it have?
  • Is the publisher verified or at least recognizable?
  • Does it request permissions that seem excessive for its stated purpose?

Remove anything you don't actively use. Every extension is potential attack surface.

Building Better Defenses

Individual vigilance helps, but it's not enough. This problem requires systematic solutions.

For development teams, consider implementing extension allowlisting. Create a curated list of approved extensions that have been vetted by your security team. Use tools like ExtensionTotal or VScan to assess risk before adding new extensions to the approved list.

Organizations can use centralized extension management through tools like JFrog's IDE Extensions Control, which provides a local, cached repository of vetted extensions and prevents developers from installing unapproved add-ons.​

For individual developers, adopt a zero-trust mindset toward extensions. Just because something has high download counts doesn't mean it's safe. Just because it works well doesn't mean it's trustworthy. Function and safety are independent properties.

Monitor your extensions for updates. A long-dormant project that suddenly releases a new version is a red flag, it could indicate account compromise. Enable notifications for extension updates so you can review what changed before auto-updates apply.

Use separate VS Code profiles for different work contexts. Keep sensitive projects in a clean profile with minimal extensions. Use your extension-heavy setup for experiments and learning, not production work.

Moving Forward

As of January 26, 2026, both MaliciousCorgi extensions were still available on the VS Code Marketplace. Microsoft's security team has been notified. The extensions will eventually be removed and added to the block list, triggering automatic uninstallation.

But that's reactive, not preventive. Another campaign is already in progress somewhere, using different publisher accounts, different extension names, possibly different techniques. The attackers are learning from each iteration.

The question isn't whether there will be more attacks like this. The question is whether developers and organizations will adapt their security practices fast enough to defend against them.

Your development environment is infrastructure now. Treat it that way. Audit it. Monitor it. Apply the same security discipline you'd apply to production systems.

Because the next time someone installs a malicious extension, it might not be 1.5 million developers. It might just be you. And by the time you notice, your code, and your credentials, and your company's intellectual property, could already be in someone else's hands.

What's your team doing to vet extensions before installation? Drop your approach in the comments, I'm curious how different organizations are handling this.

Resources & Further Reading

Enjoyed? Clap 👏, Share, Subscribe, and Follow for more!

🔗 Instagram | LinkedIn