Find notable cyber news and cases, enriched with sources, timelines, and signals.

ClawdBot Agent malicious VS Code extension deploys ScreenConnect

Malware Activity
First reported
Last updated
Happening score
H score 29
1 unique sources, 1 articles

Summary

Hide ▲

A malicious VS Code extension posing as a free AI coding assistant now serves as a payload loader that can give attackers persistent remote access to compromised hosts. The package, clawdbot.clawdbot-agent, was published on the Microsoft Extension Marketplace and later removed by Microsoft. It auto-runs when the IDE launches, fetches config.json from an external server, and launches ConnectWise ScreenConnect through the attacker’s infrastructure.

Related Happenings

Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw

Vulnerability
H score33 First: 22.06.2026 20:28 Last: 22.06.2026 20:28 Sources 1

About this happening: Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.

Microsoft 365 Copilot Enterprise SearchLeak remote code execution flaw (CVE-2026-42824)

Vulnerability
H score34 First: 15.06.2026 16:00 Last: 15.06.2026 16:00 Sources 1

About this happening: **Microsoft 365 Copilot Enterprise Search** has a **critical** vulnerability chain, **SearchLeak**, that could let a user leak **emails, calendar details, MFA codes, and indexed f...

KongTuke Microsoft Teams initial access campaign

Campaign
H score42 First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
H score30 First: 27.04.2026 14:23 Last: 27.04.2026 14:23 Sources 1

About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...

Microsoft Edge regression disrupts Teams meeting joins

Service Disruption
H score1 First: 23.04.2026 16:18 Last: 23.04.2026 16:18 Sources 1

About this happening: A **Microsoft Edge** regression is preventing some **Windows** users from joining **Microsoft Teams** meetings, causing a limited-scope access disruption for scheduled and link-ba...

Timeline

  1. 28.01.2026 19:46 1 articles · 5mo ago

    ClawdBot Agent published on Extension Marketplace

    Initial Disclosure

    The malicious Microsoft Visual Studio Code extension "ClawdBot Agent - AI Coding Assistant" ("clawdbot.clawdbot-agent") was published by the user "clawdbot" on the official Extension Marketplace on January 27, 2026, impersonating a free AI coding assistant for Moltbot (formerly Clawdbot).

    Show sources
  2. 28.01.2026 19:46 2 articles · 5mo ago

    Researchers detail ScreenConnect loader chain

    Technical Analysis Update

    Security researchers described a loader chain in which the fake Moltbot extension auto-executes when the IDE launches, retrieves "config.json" from "clawdbot.getintwopc[.]site", runs "Code.exe" to deploy ConnectWise ScreenConnect, and can fall back to DLL sideloading with "DWrite.dll", Dropbox, hard-coded URLs, or a batch script using "darkgptprivate[.]com"; separate analysis also found hundreds of unauthenticated Moltbot instances exposing configuration data, API keys, OAuth credentials, and private-chat histories.

    Show sources