- Two malicious Visual Studio Code extensions with about 1.5 million installs exfiltrate source files to a China-based server.
- The extensions work as advertised while encoding and sending file contents on every edit and can be remotely triggered to steal up to 50 files.
- The campaign uses four Chinese analytics SDKs to fingerprint users and appears under different publisher names but identical malicious code.
- Separately, six zero-day flaws named PackageGate affect JavaScript managers; fixes are available for pnpm, vlt, and Bun, while npm declined to apply a fix.
Researchers on Koi Security disclosed two malicious Microsoft Visual Studio Code (VS Code) extensions on Jan 26, 2026 that silently send developer files to a China-based server hosted at aihao123[.]cn. The extensions remain available on the Visual Studio Marketplace and together have about 1.5 million installs.
The extensions — ChatGPT – 中文版 (whensunset.chatgpt-china) and ChatGPT – ChatMoss(CodeMoss)(zhukunpeng.chat-moss) — provide expected AI coding features while also reading every opened file, Base64-encoding content, and sending it to the remote server on each edit. Security researcher Tuval Admoni said “Both contain identical malicious code — the same spyware infrastructure running under different publisher names,” describing identical spyware in both extensions.
The spyware includes a remote-triggered monitoring mode that can exfiltrate up to 50 workspace files and hides a zero-pixel iframe in the extension web view. That iframe loads four analytics SDKs — Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics — to fingerprint devices and build profiles.
In a separate disclosure, Koi Security reported six zero-day flaws called PackageGate that let attackers bypass protections in JavaScript managers such as npm, pnpm, vlt, and Bun. The issues undermine defenses like disabling lifecycle scripts and committed lockfiles, measures reinforced after Shai-Hulud.
Fixes are released for pnpm (v10.26.0), vlt (v1.0.0-rc.10), and Bun (v1.3.5); advisories for pnpm appear at CVE-2025-69264 (CVSS 8.8) and CVE-2025-69263 (CVSS 7.5). npm declined to apply a fix, stating “users are responsible for vetting the content of packages that they choose to install.” The company also noted, “If a package being installed through git contains a prepare script, its dependencies and devDependencies will be installed. As we shared when the ticket was filed, this is an intentional design and works as expected,” while GitHub said it is working to address the issue.
Security guidance to adopt trusted publishing and granular tokens appears at Malware-campaign/”>GitHub. Researcher Oren Yomtov added, “The standard advice, disable scripts and commit your lockfiles, is still worth following. But it’s not the complete picture. Until PackageGate is fully addressed, organizations need to make their own informed choices about risk.”
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- BRICS CBDCs and Pay Systems Deal Major Blow to Dollar Now!!!
- Global banks ramp into tokenization and stablecoins in 2026.
- Nvidia Launches Earth-2 AI for 15-Day Weather Forecasts Now!
- Gold Silver Surge to Records as Bitcoin Stalls and Fed Looms
- Gold Tops $5,100 as Traders Favor It Over Ethereum amid risk
