Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Developers' source code exposed through malicious VS Code extensions

Data Leak
First reported
Last updated
Happening score
H score 23
1 unique sources, 1 articles

Summary

Hide ▲

Malicious VS Code extensions have been found exfiltrating developers' source code and workspace changes to China-based servers, exposing sensitive code across 1.5 million installs. The extensions still work as advertised, which makes the theft harder to notice and increases the risk that developers will install them at scale. The activity is tied to MaliciousCorgi and includes hidden collection of opened files, edits, and device fingerprints.

Related Happenings

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
First: 27.04.2026 14:23 Last: 27.04.2026 14:23 Sources 1

About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...

Open Happening

GlassWorm Zig dropper infecting developer IDEs

Malware Activity
First: 10.04.2026 16:23 Last: 10.04.2026 16:23 Sources 1

About this happening: The **GlassWorm** malware set now uses a **Zig dropper** that can silently infect **all VS Code-based IDEs** on a developer's machine, widening the reach of the compromise. The pa...

Open Happening

GlassWorm open-source supply-chain campaign targeting developers

Campaign
First: 14.03.2026 14:55 Last: 14.03.2026 14:55 Sources 1

About this happening: The **GlassWorm** campaign has added a new **Open VSX** wave of **73 cloned VS Code extensions** that impersonate legitimate packages to build trust before delivering malware. **S...

Latest development: 17.03.2026 23:42

GlassWorm renewed its supply-chain campaign against GitHub, npm, and VSCode/OpenVSX, with researchers identifying 433 compromised components this month across 200 GitHub Python repositories, 151 GitHub JS/TS repositories, 72 VSCode/OpenVSX extensions, and 10 npm packages. The operators compromised GitHub accounts to force-push malicious commits, published obfuscated code using invisible Unicode characters, and used Solana blockchain transactions as C2 to deliver a Node.js runtime and a JavaScript-based information stealer that targets cryptocurrency wallet data, credentials, access tokens, SSH keys, and developer environment data.

Open Happening

VSCode extensions local file theft and RCE vulnerabilities (multiple vulnerabilities)

Vulnerability
First: 17.02.2026 23:27 Last: 17.02.2026 23:27 Sources 1

About this happening: **High-to-critical vulnerabilities** in popular **VSCode extensions** can expose developers to **local file theft** and **remote code execution** across software downloaded more t...

Open Happening

Fake AI assistant Chrome extension malware activity

Malware Activity
First: 16.02.2026 16:00 Last: 16.02.2026 16:00 Sources 1

About this happening: A cluster of **30 malicious Chrome extensions** posing as **AI assistants** is stealing **email content** and other sensitive data from **Chrome users**, creating a broad browser-...

Open Happening

Timeline

  1. 26.01.2026 17:43 2 articles · 4mo ago

    Malicious VS Code extensions exfiltrate developer source code

    Initial Disclosure

    Two malicious Microsoft Visual Studio Code extensions on the official Visual Studio Marketplace, ChatGPT - 中文版 and ChatGPT - ChatMoss(CodeMoss), are identified as functioning AI coding assistants that also capture opened files and source code edits from developers and send the data to China-based servers such as aihao123[.]cn. The same extensions are described as using hidden real-time monitoring, Base64 encoding, and a concealed zero-pixel iframe that loads Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics to fingerprint users, while the campaign is labeled MaliciousCorgi.

    Show sources
    Open in new tab