Two AI coding extensions in the Visual Studio Marketplace are harvesting source code from 1.5 million developers while operating as fully functional tools—a supply chain attack that weaponizes legitimate functionality as cover.
Koi Security researchers identified the campaign, dubbed MaliciousCorgi, in extensions ChatGPT - 中文版 (1.34 million installs, publisher WhenSunset) and ChatMoss/CodeMoss (151,000 installs, publisher zhukunpeng). Both extensions deliver working AI autocomplete and code explanations. Both also exfiltrate data through three parallel mechanisms that operate beyond what's functionally necessary.
The technical breakdown
Real-time monitoring: Every file opened triggers immediate Base64 encoding and transmission of complete file contents—not the ~20 lines of context legitimate AI tools use for autocomplete. The same trigger fires on every edit.
Remote-controlled harvesting: The server can trigger mass file collection without user interaction. When the server sends {"type": "getFilesList"} via a response field the extension parses as JSON, it harvests up to 50 files on command. Users see nothing.
Developer profiling: A hidden zero-pixel iframe loads four Chinese analytics SDKs (Zhuge.io, GrowingIO, TalkingData, Baidu Analytics) to fingerprint devices and build activity profiles. The receiving page is titled "ChatMoss数据埋点"—literally "ChatMoss Data Tracking."
All exfiltrated data flows to aihao123.cn infrastructure in China.
What this means in practice
Both extensions share identical malicious code despite different publishers, indicating coordinated operation. The profiling layer suggests selective targeting: build intelligence on which developers possess valuable IP, then trigger remote harvesting for high-value targets.
The extensions were still available for download when Koi published their findings January 22. Microsoft's response timeline is unclear.
The detection problem
These extensions pass functional testing because they work exactly as advertised. Detection requires code-level analysis of manifest permissions (file system access, network requests) and runtime behavior—capabilities most enterprises lack for developer tooling.
Worth noting: GitHub Copilot and similar legitimate tools do read code context. The malicious behavior here is scope (entire files vs. cursor context), frequency (every open/edit vs. active typing), and the undisclosed analytics infrastructure.
The real question is how many other extensions are running similar operations under cover of legitimate functionality. The marketplace's 1.5 million victims suggest the answer isn't zero.