Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ClawdBot Agent malicious VS Code extension deploys ScreenConnect

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

A malicious VS Code extension posing as a free AI coding assistant now serves as a payload loader that can give attackers persistent remote access to compromised hosts. The package, clawdbot.clawdbot-agent, was published on the Microsoft Extension Marketplace and later removed by Microsoft. It auto-runs when the IDE launches, fetches config.json from an external server, and launches ConnectWise ScreenConnect through the attacker’s infrastructure.

Related Happenings

KongTuke Microsoft Teams initial access campaign

Campaign
First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...

Open Happening

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
First: 27.04.2026 14:23 Last: 27.04.2026 14:23 Sources 1

About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...

Open Happening

Microsoft Edge regression disrupts Teams meeting joins

Service Disruption
First: 23.04.2026 16:18 Last: 23.04.2026 16:18 Sources 1

About this happening: A **Microsoft Edge** regression is preventing some **Windows** users from joining **Microsoft Teams** meetings, causing a limited-scope access disruption for scheduled and link-ba...

Open Happening

Windows 11 Notepad Markdown link RCE (CVE-2026-20841)

Vulnerability
First: 12.02.2026 01:15 Last: 12.02.2026 01:15 Sources 1

About this happening: Microsoft fixed **CVE-2026-20841**, a **remote code execution** flaw in **Windows 11 Notepad** that could be triggered by clicking a **malicious Markdown link**. On **Notepad vers...

Open Happening

GlassWorm malware abuses compromised OpenVSX extensions to steal credentials from macOS systems

Malware Activity
First: 03.02.2026 00:04 Last: 03.02.2026 00:04 Sources 1

About this happening: **GlassWorm** is a malware campaign that now also fuels **ForceMemo**, a **supply-chain attack** that steals **GitHub tokens** and force-pushes malicious code into **Python reposi...

Open Happening

Timeline

  1. 28.01.2026 19:46 1 articles · 3mo ago

    ClawdBot Agent published on Extension Marketplace

    Initial Disclosure

    The malicious Microsoft Visual Studio Code extension "ClawdBot Agent - AI Coding Assistant" ("clawdbot.clawdbot-agent") was published by the user "clawdbot" on the official Extension Marketplace on January 27, 2026, impersonating a free AI coding assistant for Moltbot (formerly Clawdbot).

    Show sources
    Open in new tab
  2. 28.01.2026 19:46 2 articles · 3mo ago

    Researchers detail ScreenConnect loader chain

    Technical Analysis Update

    Security researchers described a loader chain in which the fake Moltbot extension auto-executes when the IDE launches, retrieves "config.json" from "clawdbot.getintwopc[.]site", runs "Code.exe" to deploy ConnectWise ScreenConnect, and can fall back to DLL sideloading with "DWrite.dll", Dropbox, hard-coded URLs, or a batch script using "darkgptprivate[.]com"; separate analysis also found hundreds of unauthenticated Moltbot instances exposing configuration data, API keys, OAuth credentials, and private-chat histories.

    Show sources
    Open in new tab