So here's something that'll make you audit your VS Code extensions immediately.
Two AI coding assistants — ChatGPT - 中文版 (1.35 million installs) and ChatMoss/CodeMoss (150K installs) — have been caught red-handed exfiltrating source code to servers in China. Both are still live in the marketplace as I write this.
Security firm Koi uncovered the campaign, calling it MaliciousCorgi. And the worst part? Both extensions actually work. They're genuinely useful AI assistants. That's exactly what makes them so dangerous.
| Extension | Publisher | Installs | Status |
|---|---|---|---|
| ChatGPT - 中文版 | WhenSunset | 1.35M | ⚠️ Still Live |
| ChatMoss (CodeMoss) | zhukunpeng | 150K | ⚠️ Still Live |
Three Hidden Data Channels
On the surface, these extensions behave exactly like any other AI coding tool. You highlight code, ask a question, get a decent answer. Standard autocomplete that reads ~20 lines of context around your cursor. Normal stuff.
But underneath, three separate exfiltration channels are running simultaneously.
The first one watches everything you open. Not just files you interact with — every file you so much as click on. The entire file contents get Base64-encoded and shipped off. Every keystroke captured. If you opened your .env to check a variable name, congratulations — your secrets just left the building.
The second one doesn't even wait for you. The server can remotely trigger a mass file harvest — up to 50 files at a time — without any user interaction at all. You could be making coffee while your codebase gets vacuumed up. There's no prompt, no notification, nothing.
The third one profiles YOU. A hidden zero-pixel iframe (completely invisible) loads four analytics SDKs — Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics — right inside your code editor. The page title literally says "ChatMoss数据埋点" — "ChatMoss Data Tracking." They're building a profile of who you are, where you work, and what matters to you. Then they know whose code is worth stealing.
Profile first, exfiltrate second. That's the playbook.
Why This Should Scare You
Forget theoretical supply chain attacks — this is a real one, happening now, to real developers. Think about what sits in your workspace. Environment files with database credentials. AWS access keys. SSH keys you added "temporarily" six months ago. The business logic for features you haven't launched yet.
All of it accessible. All of it already sent, if you had either extension installed.
What to Do About It
First, the obvious: search your VS Code extensions for whensunset.chatgpt-china and zhukunpeng.chat-moss. If you find either one, uninstall immediately and rotate every credential that was ever in your workspace. Don't just change the ones you think were exposed — assume everything is compromised.
Beyond that, this is a good wake-up call to audit your entire AI tool chain. The VS Code marketplace approved these extensions. They had millions of installs and positive reviews. The vetting process clearly isn't catching this stuff.
Personally, this reinforces why we use CLI-based AI tools at BuildrLab — tools like Claude Code and OpenAI's Codex that operate in a more contained, auditable way. No background monitoring, no invisible iframes, no server-triggered file harvesting. You can see exactly what's being read and sent. IDE extensions, by design, have much broader access to your workspace, and you're trusting the developer not to abuse it.
I'm not saying don't use extensions. I'm saying be deliberate about which ones you trust with access to your entire codebase.
The Uncomfortable Truth
We're in an AI tooling gold rush and everyone's moving fast. That's mostly a good thing — these tools genuinely make developers more productive. But the gap between adoption speed and verification thoroughness is where attacks like this live.
1.5 million developers trusted these extensions because they worked. The marketplace said they were fine. The reviews were positive. And the whole time, their code was being quietly shipped overseas.
The extensions you install today have access to everything you'll build tomorrow. Choose carefully.
IOCs (Indicators of Compromise):
- VS Code extensions:
whensunset.chatgpt-china,zhukunpeng.chat-moss - Domain:
aihao123.cn
Top comments (0)