- A malicious Visual Studio Code extension impersonating Moltbot delivered a persistent remote-access payload to infected machines.
- The extension auto-ran on IDE start, fetched a remote
config.json, and installed a preconfigured ConnectWise ScreenConnect client that phoned home to an attacker-controlled host. - Multiple fallback delivery methods existed, including a sideloaded DLL and a batch script, ensuring payload delivery if primary infrastructure failed.
- Separately, many publicly reachable Moltbot instances exposed credentials and conversation data, enabling impersonation and data theft without further exploit.
A newly published Visual Studio Code extension called "ClawdBot Agent – AI Coding Assistant" (identifier "clawdbot.clawdbot-agent") appeared on January 27, 2026 and was later removed by Microsoft. Security researchers first Malware“>flagged the extension after it advertised itself as a free AI coding assistant for Visual Studio Code while secretly deploying a remote-access payload.
The extension executed automatically when the IDE launched, downloaded a file named "config.json" from the domain clawdbot.getintwopc[.]site, and ran an executable named "Code.exe" that installed a legitimate remote-desktop tool, ConnectWise ScreenConnect. The client then connected to meeting.bulletmailer[.]net:8041 to give attackers persistent access.
According to Aikido, "The attackers set up their own ScreenConnect relay server, generated a pre-configured client installer, and distributed it through the VS Code extension," allowing the client to immediately phone home. The extension also included a fallback that downloaded a Rust-written DLL named "DWrite.dll" for sideloading and retrieving the same payload from Dropbox.
Additional hard-coded URLs in the extension and a batch-script fallback that fetched payloads from darkgptprivate[.]com increased delivery resilience. The incident exploited the popularity of Moltbot, which has grown rapidly on GitHub, exceeding 85,000 stars as of this report and offering users local LLM assistants accessible via platforms listed on the project site.
Researchers warned about widespread insecure deployments of Moltbot. Jamieson O’Reilly of Dvuln noted that hundreds of unauthenticated instances exposed configuration data and credentials, and that "The real problem is that Clawdbot agents have agency," as shown in his post. Security firm Intruder reported misconfigurations, prompt-injection risks, and compromised instances in a published analysis.
Users running default Moltbot configurations are advised to audit settings, revoke integrations, and implement network controls, following the project’s published security guidance. Additional discussion of agent risks and distribution concerns appears in related posts, including a note about backdoored skills on MoltHub and prompt-injection risks described by IEEE Spectrum.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Fed Holds Rates at 3.50-3.75% as Officials Split Amid Powell
- Hedera Champions Tokenization, AI Trust at Davos 2026 Summit
- CZ Calls Online Criticism a ‘Coordinated Attack’ on Binance.
- Senate Agr faces DCIA markup as Klobuchar seeks CFTC quorum!
- Fidelity to Launch FIDD Stablecoin Backed by Treasuries Now!
