Corgis in the Code: How 1.5 Million Developers’ Secrets Fueled a Stealth AI Spy Campaign

Two seemingly benign AI coding assistants on Microsoft’s Visual Studio Code Marketplace have quietly siphoned source code, API keys and configuration files from 1.5 million developers, channeling the data to servers in China. Dubbed the MaliciousCorgi campaign by researchers at Koi Security, the extensions “ChatGPT – 中文版” and “ChatMoss (CodeMoss)” delivered promised functionality—answering coding queries and offering autocomplete—while embedding sophisticated surveillance mechanisms.

Published under publishers WhenSunset and zhukunpeng, the extensions amassed 1.34 million and 150,000 installs respectively. Koi researchers noted in their January 2026 blog post that both remained live on the marketplace days after disclosure, capturing files upon opening and harvesting up to 50 workspace files on remote command. “They answer your coding questions. They explain your errors. They also capture every file you open, every edit you make, and send it all to servers in China. No consent. No disclosure,” the firm stated.

Malicious Mechanics Unmasked

The spyware operated through three channels. First, real-time monitoring triggered by VS Code’s onDidChangeTextDocument event read entire file contents upon opening—not just viewed lines—encoded them in Base64 and transmitted via a hidden tracking iframe in the extension’s webview. “The moment you open any file – not interact with it, just open it – the extension reads its entire contents, encodes it as Base64, and sends it to a webview containing a hidden tracking iframe. Not 20 lines. The entire file,” Koi detailed on their blog.

Channel two enabled server-directed bulk theft: API responses included a jumpUrl parsed by the webview to invoke a getFilesList command, exfiltrating up to 50 files of any type except images, no user interaction required. The third channel loaded commercial analytics SDKs—Zhuge.io, GrowingIO, TalkingData and Baidu Analytics—in a zero-pixel iframe to profile users, fingerprint devices and prioritize high-value targets for deeper harvesting, according to BleepingComputer.

Domains like aihao123.cn served as exfiltration endpoints, with identical infrastructure linking both extensions. Risks extended to .env files harboring API keys, SSH credentials and cloud configs, exposing intellectual property across enterprises.

Microsoft’s Measured Response

BleepingComputer contacted Microsoft on January 23, 2026; a spokesperson replied the next day: “We are investigating this report and will take appropriate action in accordance with our process and policies.” As of late January, no public confirmation of removal emerged, echoing patterns in prior incidents. Checkmarx Zero had flagged ChatMoss-related issues as early as October 31, 2025, yet marketplace inaction persisted until Koi’s behavioral analysis spotlighted the campaign, per X posts from @CheckmarxZero.

This delay underscores broader vetting gaps. Microsoft removed 110 malicious extensions in 2025 alone from 136 reviewed, per multiple reports including HackingPassion and ByteIota. Critics argue static scans at submission fail against post-approval behavior, allowing functional malware to thrive amid positive reviews.

Precedents abound: In December 2025, Koi exposed “Bitcoin Black” and “Codo AI,” which deployed infostealers downloading payloads via batch scripts, capturing screenshots, WiFi passwords and browser cookies. Microsoft confirmed their removal days later to BleepingComputer. ReversingLabs uncovered 19 extensions hiding malware in fake PNGs since February 2025, with detections quadrupling year-over-year.

Persistent Supply Chain Perils

The VS Code ecosystem’s openness amplifies threats. HelixGuard identified 12 extensions like Christine-devops1234.scraper exfiltrating code and credentials in October 2025, four active at disclosure per Cybersecurity News. TigerJack’s 11 extensions infected 17,000 developers with spyware and miners, lingering on OpenVSX post-Microsoft takedown, as noted by The Hacker News.

AI IDE forks like Cursor and Windsurf inherit hardcoded recommendations pointing to unclaimed OpenVSX namespaces, enabling namespace squatting, Koi warned in January 2026 via BleepingComputer. Wiz Research found 550 leaked secrets across 500+ extensions, risking malware propagation to 150,000 installs.

Checkmarx Zero systematically reports threats, coordinating removals, but emphasizes AppSec must scrutinize IDE tools beyond libraries. “Marketplace maintainers can be reluctant to remove things without ‘smoking gun’ evidence,” @CheckmarxZero posted on X.

Defending the Developer Frontier

Koi urges behavioral analysis post-install: “Scan your environment to find threats already running. Block malicious extensions before they’re installed.” Enterprises should enforce allowlists, audit via GPO, restrict to verified publishers and disable auto-updates. X user @Anavem_ advised: “audit installed extensions and lock down marketplace installs.”

VS Code commands 75.9% of professional developers per Stack Overflow’s 2025 survey, making it a prime vector. As AI tools proliferate, blending utility with espionage, the onus falls on runtime monitoring to bridge adoption speed and verification rigor.