Developers' source code exposed through malicious VS Code extensions
Data Leak
Summary
Hide ▲
Show ▼
Malicious VS Code extensions have been found exfiltrating developers' source code and workspace changes to China-based servers, exposing sensitive code across 1.5 million installs. The extensions still work as advertised, which makes the theft harder to notice and increases the risk that developers will install them at scale. The activity is tied to MaliciousCorgi and includes hidden collection of opened files, edits, and device fingerprints.
Related Happenings
StegoAd malicious Edge extension operation
Malware Activity
H score19
First: 29.06.2026 11:32
Last: 29.06.2026 11:32
Sources 1
About this happening:
The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
StegoAd malicious Edge extension operation
Malware ActivityAbout this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
JetBrains Marketplace malicious plugins exfiltrating AI provider keys
Malware Activity
H score12
First: 17.06.2026 12:38
Last: 17.06.2026 12:38
Sources 1
About this happening:
A **JetBrains Marketplace** malware operation has pushed **15 malicious plugins** that pose as AI coding assistants and steal **AI provider API keys** from developers. The plugins...
JetBrains Marketplace malicious plugins exfiltrating AI provider keys
Malware ActivityAbout this happening: A **JetBrains Marketplace** malware operation has pushed **15 malicious plugins** that pose as AI coding assistants and steal **AI provider API keys** from developers. The plugins...
Developers' AI provider API keys exfiltrated via malicious JetBrains plugins
Data Leak
H score12
First: 17.06.2026 12:10
Last: 17.06.2026 12:10
Sources 1
About this happening:
Developers' **AI provider API keys** were **exfiltrated** through malicious **JetBrains Marketplace** plugins, exposing credentials from a broad user base and risking unauthorized...
Developers' AI provider API keys exfiltrated via malicious JetBrains plugins
Data LeakAbout this happening: Developers' **AI provider API keys** were **exfiltrated** through malicious **JetBrains Marketplace** plugins, exposing credentials from a broad user base and risking unauthorized...
JetBrains Marketplace malicious plugin API-key theft campaign
Campaign
H score15
First: 17.06.2026 00:54
Last: 17.06.2026 00:54
Sources 1
About this happening:
A **coordinated malware campaign** on the **JetBrains Marketplace** is stealing developers' **AI provider API keys** through malicious plugins that pose as **AI coding assistants*...
JetBrains Marketplace malicious plugin API-key theft campaign
CampaignAbout this happening: A **coordinated malware campaign** on the **JetBrains Marketplace** is stealing developers' **AI provider API keys** through malicious plugins that pose as **AI coding assistants*...
GlassWorm v2 cloned VS Code extension loaders
Malware Activity
H score30
First: 27.04.2026 14:23
Last: 27.04.2026 14:23
Sources 1
About this happening:
The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...
GlassWorm v2 cloned VS Code extension loaders
Malware ActivityAbout this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...
Timeline
-
26.01.2026 17:43 2 articles · 5mo ago
Malicious VS Code extensions exfiltrate developer source code
Initial DisclosureTwo malicious Microsoft Visual Studio Code extensions on the official Visual Studio Marketplace, ChatGPT - 中文版 and ChatGPT - ChatMoss(CodeMoss), are identified as functioning AI coding assistants that also capture opened files and source code edits from developers and send the data to China-based servers such as aihao123[.]cn. The same extensions are described as using hidden real-time monitoring, Base64 encoding, and a concealed zero-pixel iframe that loads Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics to fingerprint users, while the campaign is labeled MaliciousCorgi.
Show sources
- Malicious VS Code AI Extensions with 1.5 Million Installs Steal Developer Source Code — thehackernews.com — 26.01.2026 17:43
- Malicious VS Code AI Extensions with 1.5 Million Installs Steal Developer Source Code — thehackernews.com — 26.01.2026 17:43