Cybersecurity researchers have discovered two malicious Microsoft Visual Studio Code (VS Code) extensions that are advertised as artificial intelligence (AI)-powered coding assistants, but also harbor covert functionality to siphon developer data to China-based servers.
The extensions, which have 1.5 million combined installs and are still available for download from the official Visual Studio Marketplace, are listed below -
- ChatGPT - 中文版 (ID: whensunset.chatgpt-china) - 1,340,869 installs
- ChatGPT - ChatMoss(CodeMoss)(ID: zhukunpeng.chat-moss) - 151,751 installs
Koi Security said the extensions are functional and work as expected, but they also capture every file being opened and every source code modification to servers located in China without users' knowledge or consent. The campaign has been codenamed MaliciousCorgi.
"Both contain identical malicious code -- the same spyware infrastructure running under different publisher names," security researcher Tuval Admoni said.
What makes the activity particularly dangerous is that the extensions work exactly as advertised, providing autocomplete suggestions and explaining coding errors, thereby avoiding raising any red flags and lowering the users' suspicion.
At the same time, the embedded malicious code is designed to read all of the contents of every file being opened, encode it in Base64 format, and send it to a server located in China ("aihao123[.]cn"). The process is triggered for every edit.
The extensions also incorporate a real-time monitoring feature that can be remotely triggered by the server, causing up to 50 files in the workspace to be exfiltrated. Also present in the extension's web view is a hidden zero-pixel iframe that loads four commercial analytics software development kits (SDKs) to fingerprint the devices and create extensive user profiles.
The four SDKs used are Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics, all of which are major data analytics platforms based in China.
PackageGate Flaws Affect JavaScript Package Managers
The disclosure comes as the supply chain security company said it identified six zero-day vulnerabilities in JavaScript package managers like npm, pnpm, vlt, and Bun that could be exploited to defeat security controls put in place to skip the automatic execution of lifecycle scripts during package installation. The flaws have been collectively named PackageGate.
Defenses such as disabling lifecycle scripts ("--ignore-scripts") and committing lockfiles ("package-lock.json") have become crucial mechanisms to confronting supply chain attacks, especially in the aftermath of Shai-Hulud, which leverages postinstall scripts to spread in a worm-like manner to hijack npm tokens and publish malicious versions of the packages to the registry.
However, Koi found that it's possible to bypass script execution and lockfile integrity checks in the four package managers. Following responsible disclosure, the issues have been addressed in pnpm (version 10.26.0), vlt (version 1.0.0-rc.10), and Bun (version 1.3.5). Pnpm is tracking the two vulnerabilities as CVE-2025-69264 (CVSS score: 8.8) and CVE-2025-69263 (CVSS score: 7.5).
Npm, however, has opted not to fix the vulnerability, stating "users are responsible for vetting the content of packages that they choose to install." When reached for comment, a GitHub spokesperson told The Hacker News that's working actively to address the new issue as npm actively scans for malware in the registry.
"If a package being installed through git contains a prepare script, its dependencies and devDependencies will be installed. As we shared when the ticket was filed, this is an intentional design and works as expected," the company said. "When users install a git dependency, they are trusting the entire contents of that repository, including its configuration files."
The Microsoft-owned subsidiary has also urged projects to adopt trusted publishing and granular access tokens with enforced two-factor authentication (2FA) to secure the software supply chain. As of September 2025, GitHub has deprecated legacy classic tokens, limited granular tokens with publishing permissions to a shorter expiration, and removed the option to bypass 2FA for local package publishing.
"The standard advice, disable scripts and commit your lockfiles, is still worth following," security researcher Oren Yomtov said. "But it's not the complete picture. Until PackageGate is fully addressed, organizations need to make their own informed choices about risk."
(The story was updated after publication to include a response from GitHub.)
