Malicious AI Coding Assistant ‘Moltbot’ Infects VS Code with Malware
Cybersecurity experts have identified a new threat linked to a malicious extension for Microsoft Visual Studio Code (VS Code), known as Moltbot. Formerly named Clawdbot, Moltbot is advertised as a free AI coding assistant, but it stealthily infects compromised systems with malware. The extension, “ClawdBot Agent – AI Coding Assistant,” was published by a user called “clawdbot” on January 27, 2026, and has since been removed by Microsoft from the official Extension Marketplace.
The Malicious Nature of Moltbot
Moltbot has gained considerable traction, accumulating over 85,000 stars on GitHub. This open-source project, developed by Austrian programmer Peter Steinberger, allows users to run a personal AI assistant powered by a large language model on local devices. Users can interact with Moltbot through platforms such as WhatsApp, Telegram, Slack, Discord, Google Chat, Signal, iMessage, Microsoft Teams, and WebChat.
Importantly, there is no legitimate VS Code extension for Moltbot. This lack of an official tool has allowed threat actors to exploit its rising popularity, misleading developers into installing the malicious extension.
Malware Delivery Mechanism
The malicious extension is designed to launch automatically whenever the integrated development environment (IDE) is started. It secretly downloads a file named “config.json” from an external server. This file then triggers a binary named “Code.exe,” which deploys a legitimate remote desktop tool, such as ConnectWise ScreenConnect. This allows attackers persistent access to compromised hosts by connecting to the URL “meeting.bulletmailer[.]net:8041.”
- Malicious Extension: ClawdBot Agent – AI Coding Assistant
- Malware Type: Stealth software that establishes remote access
- Initial Publication Date: January 27, 2026
- Developer: Peter Steinberger
- GitHub Stars: Over 85,000
According to cybersecurity researcher Charlie Eriksen, the attackers created their own ScreenConnect relay server to distribute a fully functional client through the VS Code extension.
Backup Delivery Methods
The malicious extension also has various backup systems for payload delivery. For instance, it retrieves a DLL file named “DWrite.dll,” written in Rust, from the “config.json” file and sideloads it to ensure the ScreenConnect client is delivered. If the primary server becomes inaccessible, this backup mechanism activates. Additionally, a batch script can procure the payloads from another domain, darkgptprivate.com.
Security Concerns with Moltbot
The risk posed by Moltbot extends beyond individual systems. Research by Jamieson O’Reilly, founder of Dvuln, revealed numerous unauthenticated Moltbot instances online, exposing sensitive data such as API keys and private conversation histories. This vulnerability allows attackers to impersonate users on platforms like Telegram, Slack, and Discord, manipulate conversations, and extract confidential information without detection.
Recommended Security Measures
Users running Clawdbot with default settings should take immediate action:
- Audit your configuration settings.
- Revoke all connected service integrations.
- Review exposed credentials for potential breaches.
- Implement strict network controls.
- Monitor for signs of compromise.
As Moltbot continues to evolve, organizations need to prioritize security and ensure protected implementations to prevent unauthorized access and data loss.
