Malicious VS Code AI Extensions Stole Source Code in 1.5 Million Installs
Security researchers have recently uncovered two harmful extensions within Microsoft Visual Studio Code (VS Code) that pose significant risks to developers. These extensions, marketed as AI-powered coding assistants, have been installed a staggering 1.5 million times, indicating widespread use.
Malicious Extensions Details
The two identified extensions are:
- ChatGPT – 中文版 (ID: whensunset.chatgpt-china) – 1,340,869 installs
- ChatGPT – ChatMoss(CodeMoss) (ID: zhukunpeng.chat-moss) – 151,751 installs
Both extensions have been found to send developer data to servers located in China without users’ consent. This data includes every file opened and any modifications made to the source code.
Functionality and Threat
Despite containing malicious code, these extensions function as intended. They provide useful autocomplete suggestions and error explanations, which helps them evade suspicion from users.
According to security researcher Tuval Admoni, “Both contain identical malicious code and spyware infrastructure.” The extensions encode the opened file contents in Base64 format and transmit the data to a Chinese server, “aihao123[.]cn,” every time an edit is made.
Real-Time Monitoring
A concerning feature of these extensions is their ability to perform real-time monitoring. This functionality can be remotely activated, allowing the exfiltration of up to 50 files from a user’s workspace. Furthermore, the extensions include a hidden iframe that incorporates various analytics SDKs, such as Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics, to profile users extensively.
Related Security Concerns
This discovery coincides with the identification of multiple vulnerabilities, collectively termed PackageGate, affecting JavaScript package managers like npm and pnpm. Six zero-day vulnerabilities have been revealed, which enable attackers to bypass important security measures that normally prevent the execution of lifecycle scripts during package installations.
Vulnerabilities Summary
The vulnerabilities tracked as CVE-2025-69264 and CVE-2025-69263 have serious implications, with respective CVSS scores of 8.8 and 7.5. While some packages have issued fixes, npm has declined to address the vulnerability, stating users must carefully vet any packages they install.
Prevention Measures
Given the ongoing threats in the software supply chain, experts recommend several key strategies:
- Disable lifecycle scripts using the command
–ignore-scripts. - Commit lockfiles like
package-lock.jsonto ensure package integrity. - Adopt trusted publishing practices and implement two-factor authentication (2FA) for enhanced security.
As the situation evolves, developers are urged to remain vigilant and assess the risks associated with third-party code to protect their projects.
