Those AI Coding Extensions Have 1.5 Million Installs—And They're Sending Your Code to China

If you've installed an AI coding assistant in Visual Studio Code recently, your source code might already be on a server in China.

Security researchers at Koi discovered two malicious extensions on Microsoft's official VSCode Marketplace that had been silently exfiltrating developer data to Chinese servers. The extensions—marketed as AI coding assistants—accumulated 1.5 million combined installations before the campaign was exposed.

The attack is a stark reminder that the tools developers trust most can become the biggest security liability.

The Extensions That Betrayed 1.5 Million Developers

The two extensions at the center of this campaign are ChatGPT – 中文版 (published by WhenSunset) with 1.34 million installs, and ChatMoss/CodeMoss (published by zhukunpeng) with 150,000 installs.

Both promised AI powered coding assistance. Both delivered something else entirely.

Koi's researchers designated the campaign "MaliciousCorgi" after discovering the extensions employed three distinct methods to harvest developer data:

Real time file surveillance: The moment you open any file in your editor—not interact with it, just open it—the extension reads its entire contents, encodes it as Base64, and transmits it to attacker controlled servers.

Batch file harvesting: Server controlled commands could silently transmit up to 50 workspace files per execution, allowing attackers to systematically pillage entire codebases.

Behavioral tracking: Zero pixel iframes loaded four commercial Chinese analytics SDKs (Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics) for device fingerprinting, activity monitoring, and user profiling.

What Was Stolen

The stolen data reads like a developer's worst nightmare: complete source code from opened files, configuration files, cloud service credentials, and .env files containing API keys.

For developers working on proprietary software, this represents intellectual property theft. For those with AWS keys, database credentials, or API tokens in their configuration files, it means potential account compromise and financial loss.

The extensions transmitted everything to servers hosted at aihao123.cn—a domain that appeared legitimate but served as the collection point for stolen data.

A Pattern of Attacks

This incident is not isolated. Microsoft removed 110 malicious extensions from the VSCode Marketplace in 2025 alone, yet attacks continue to accelerate.

Earlier campaigns have been even more brazen. A threat actor known as TigerJack published at least 11 malicious extensions that infected over 17,000 developers with spyware, cryptocurrency miners, and remote backdoors. Two of the extensions—C++ Playground and HTTP Format—remained available on the alternative OpenVSX registry months after Microsoft removed them.

The scale of the problem reflects VSCode's dominance. With 73.71% developer adoption according to recent surveys, a successful attack on the VSCode ecosystem affects the majority of the software industry.

Why AI Extensions Are Particularly Dangerous

The rise of AI coding assistants has created a perfect storm for supply chain attacks. Developers are rushing to adopt tools that promise productivity gains, often installing extensions with minimal scrutiny.

AI extensions require broad permissions by design—they need to read your code to provide suggestions. This makes malicious behavior harder to distinguish from legitimate functionality. An extension that reads every file you open seems normal when it claims to offer AI powered code completion.

The MaliciousCorgi extensions exploited this expectation perfectly. They functioned as advertised while quietly exfiltrating everything in the background.

Microsoft's Response

Microsoft told reporters they were "investigating this report and will take appropriate action in accordance with our process and policies."

The statement echoes previous responses to marketplace abuse. Critics argue that Microsoft's vetting process for VSCode extensions remains inadequate given the sensitive access these tools receive.

The extensions were eventually removed, but only after security researchers discovered and reported the campaign. For the 1.5 million developers who installed them, the damage may already be done.

How to Check If You're Affected

Open VSCode and navigate to the Extensions panel. Search your installed extensions for "ChatGPT – 中文版" (publisher: WhenSunset) or "ChatMoss" or "CodeMoss" (publisher: zhukunpeng).

If you find either extension:

1. Uninstall it immediately
2. Assume any credentials in your workspace are compromised
3. Rotate all API keys, database passwords, and cloud credentials that existed in your project files
4. Review your cloud provider logs for unauthorized access
5. Consider whether any proprietary code requires incident disclosure

Even if you haven't installed these specific extensions, this incident should prompt a broader review of your development environment.

Protecting Your Development Environment

The VSCode Marketplace's verification system provides limited protection. Extensions from verified publishers can still turn malicious through compromised accounts or intentional deception.

Before installing any extension, check the publisher's history, read recent reviews for security concerns, and consider whether the permissions requested match the stated functionality. Be especially cautious with extensions that need broad file access.

For sensitive projects, consider using VSCode's restricted mode or maintaining a separate development environment with limited network access.

The tools that make developers more productive are the same tools that attackers target to steal their work. In a world where AI coding assistants read every line you write, trusting the wrong extension means trusting the wrong people with everything.