Find notable cyber news and cases, enriched with sources, timelines, and signals.

Developers' source code exposed through malicious VS Code extensions

Data Leak
First reported
Last updated
Happening score
H score 29
1 unique sources, 1 articles

Summary

Hide ▲

Malicious VS Code extensions have been found exfiltrating developers' source code and workspace changes to China-based servers, exposing sensitive code across 1.5 million installs. The extensions still work as advertised, which makes the theft harder to notice and increases the risk that developers will install them at scale. The activity is tied to MaliciousCorgi and includes hidden collection of opened files, edits, and device fingerprints.

Related Happenings

StegoAd malicious Edge extension operation

Malware Activity
H score19 First: 29.06.2026 11:32 Last: 29.06.2026 11:32 Sources 1

About this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...

JetBrains Marketplace malicious plugins exfiltrating AI provider keys

Malware Activity
H score12 First: 17.06.2026 12:38 Last: 17.06.2026 12:38 Sources 1

About this happening: A **JetBrains Marketplace** malware operation has pushed **15 malicious plugins** that pose as AI coding assistants and steal **AI provider API keys** from developers. The plugins...

Developers' AI provider API keys exfiltrated via malicious JetBrains plugins

Data Leak
H score12 First: 17.06.2026 12:10 Last: 17.06.2026 12:10 Sources 1

About this happening: Developers' **AI provider API keys** were **exfiltrated** through malicious **JetBrains Marketplace** plugins, exposing credentials from a broad user base and risking unauthorized...

JetBrains Marketplace malicious plugin API-key theft campaign

Campaign
H score15 First: 17.06.2026 00:54 Last: 17.06.2026 00:54 Sources 1

About this happening: A **coordinated malware campaign** on the **JetBrains Marketplace** is stealing developers' **AI provider API keys** through malicious plugins that pose as **AI coding assistants*...

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
H score30 First: 27.04.2026 14:23 Last: 27.04.2026 14:23 Sources 1

About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...

Timeline

  1. 26.01.2026 17:43 2 articles · 5mo ago

    Malicious VS Code extensions exfiltrate developer source code

    Initial Disclosure

    Two malicious Microsoft Visual Studio Code extensions on the official Visual Studio Marketplace, ChatGPT - 中文版 and ChatGPT - ChatMoss(CodeMoss), are identified as functioning AI coding assistants that also capture opened files and source code edits from developers and send the data to China-based servers such as aihao123[.]cn. The same extensions are described as using hidden real-time monitoring, Base64 encoding, and a concealed zero-pixel iframe that loads Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics to fingerprint users, while the campaign is labeled MaliciousCorgi.

    Show sources