MaliciousCorgi exposes 1.5 million developers: the VS Code extensions that stole data

A campaign was recently detected that took advantage of two malicious supplements published in the Visual Studio Code Marketplace and which, together, were installed about 1.5 million times. Both were presented as artificial intelligence-driven programming assistants and performed the function they promised in appearance, but they hid data exfiltration behaviors to servers located in China without informing or seeking the consent of users.

The findings came from the hands of Koi Security, a firm specialized in endpoints security and software supply chains, which named the operation "MaliciousCorgi." According to their analysis, the two supplements share the same logic to steal information and connect to the same command and control infrastructure. At the time the investigation was published, the extensions were still available on the market under the names ChatGPT - PK(published by WhenSunset, approximately 1.34 million facilities) and ChatMoss (CodeMoss)(published by zhukunpeng, about 150,000 facilities). The technical details are in Koi's report published by Koi himself and specialized means such as BleepingComputer have covered the story while a formal Microsoft response is expected.

The exfiltration technique described by the researchers uses three complementary vectors. First, the extension code monitors in real time the files that the developer opens in the VS Code client; by opening a file, the extension reads its full content, encodes it in Base64 and sends it to a web view that loads a hidden iphrame, thus transmitting the content to the remote server. It is not a question of capturing only fragments or limiting to example lines: the extension can read and transfer the entire file and also detect and send subsequent changes.

The second mechanism allows server operators to order mass file collection from the victim's work space: by a server-controlled command, the extension can pack and send up to 50 workspace files in a single operation, which multiplies the potential damage by including configuration files, secrets or any other sensitive device stored next to the code.

The third vector is oriented to the user's profiling and tracking. The extensions charge, through a zero-size iphrame within the web view, several commercial analytical libraries - including Zhuge.io, GrowingIO, TalkingData and Baidu Analytics - that serve to build fingerprints, follow the activity within the editor and correlate behavior. Together, these three techniques combine content extraction and creation of identity and device profiles.

The risk is obvious: a developer who has installed one of these supplements can unknowingly expose private source code files, configuration files, .env files with keys and tokens, cloud service credentials and other sensitive data that usually remain in the workspace. The possibility of filtering API keys or operational secrets to a remote actor represents a direct threat to both private projects and connected business infrastructure.

That threats of this kind appear in an ecosystem as widespread as the VS Code Marketplace highlights an important point about extensions and confidence: although the platform allows to enrich the editor with powerful functionalities - especially now, with the wave of IA-based code assistants - there is no absolute guarantee that all extensions publish their code or act transparently. Microsoft keeps documentation on the behavior and life cycle of the extensions on its official site; it helps you understand how these packages are distributed and updated: VS Code extension documentation.

In the face of such an incident, the practical recommendations are clear: in the short term it is necessary to uninstall immediately any suspicious extension, review the list of active supplements and avoid installing packages of doubtful origin. It is then essential to audit repositories and working environments in search of potentially compromised secrets and rotate keys and tokens that may have been exposed. For equipment and companies, it is also recommended to centralize policies on approved extensions and to restrict facilities in sensitive environments, as well as to use source code and Pipeline secret detection tools from CI / CD.

In addition to reactive actions, there is a preventive lesson: to verify the reputation of the editor of an extension, to review the public repository if it exists, to check the units it loads and to limit the scope of permits when the platform allows. And, of course, treating credentials as high-risk devices; keeping them out of the workspace by means of secret management solutions reduces the exposure window against malicious supplements.

The security community and the tool developers themselves must follow these events closely. Koi Security has published a technical analysis that includes fragments of the malicious code and explanations on how exfiltration chains work; reading this report provides technical context for those who need to audit facilities or respond to incidents: Koi Security report on MaliciousCorgi. In the meantime, the media have tried to contact Microsoft to clarify why these extensions remained accessible and what mediation measures would be applied; in the coverage of BleepingComputer the attempts to communicate with the company are collected.

In an ecosystem where extensions increase productivity but also expand the attack surface, the best defense remains the combination of caution, transparency and good practices in the management of secrets. If you are a developer or infrastructure manager, it is appropriate to take this type of alert as a warning: the convenience of a tool should never eclipse the minimum safety checks before integrating it into your daily workflow.