- Two VSCode extensions extracted sensitive user data to Chinese servers
- ChatGPT – 中文版 and ChatMoss had over 1.5 million installs combined
- The extensions used iframes, commands, and hidden SDKs to steal files and track activity.
More than 1.5 million people may have had their sensitive data leaked to Chinese hackers via two malicious extensions found on the VSCode Marketplace.
Security researchers at Koi Security said they discovered two malicious browser extensions in Microsoft’s Visual Studio Code (VSCode) Marketplace, Microsoft’s official store for code editing plugins.
The extensions were announced as AI-based coding assistants. In fact, they worked as advertised, giving users a simple and convenient way to access a Generative Artificial Intelligence (GenAI) tool to help with coding. However, the tools also uploaded sensitive data to a third-party server in China without informing users about it.
maliciouscorgi
According to Koi, these are the plugins in question, which are still available for download on the market:
ChatGPT – 中文版 (publisher: WhenSunset, 1.34 million installs)
ChatMoss (CodeMoss) (publisher: zhukunpeng, 150,000 installs)
Koi says that they are both part of the ‘MaliciousCorgi’ campaign and that they were both sending the stolen data to the same server.
To extract the data, they used three different mechanisms, it was said. The first is by real-time monitoring of open files in the VS Code client. As soon as the victim opens a file, its contents are Base64 encoded and transmitted to the servers.
“The moment you open any file (you don’t interact with it, you just open it), the extension reads all of its contents, encodes it as Base64, and sends it to a webview that contains a hidden tracking iframe. Not 20 lines. The entire file,” the researchers explained.
The second mechanism is a server-controlled command that stealthily sends up to 50 files from the victim’s workspace, while the third is a zero-pixel iframe in the extension’s webview where the commercial analytics SDKs are loaded. These SDKs track user behavior, create identity profiles, and monitor other activities.
Microsoft said beepcomputer I was investigating the situation, but the plugins are still available for download.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
