- Two VSCode extensions exfiltrated sensitive user data to Chinese servers
- ChatGPT – 中文版 and ChatMoss have totaled over 1.5 million installs
- Extensions used hidden iframes, commands, and SDKs to steal files and track activity
More than 1.5 million people may have had their sensitive data exfiltrated to Chinese hackers via two malicious extensions found on the VSCode Marketplace.
Security researchers at Koi Security said they discovered two malicious browser extensions on Microsoft’s Visual Studio Code (VSCode) Marketplace, the official Microsoft store for code editor add-ons.
The extensions were advertised as AI-based coding assistants. Indeed, they worked as advertised, providing users with a simple and convenient way to access a generative artificial intelligence (GenAI) tool to make coding easier. However, the tools also uploaded sensitive data to a third-party server in China without informing users.
MischievousCorgi
According to Koi, here are the add-ons in question, both of which are still available for download on the marketplace:
ChatGPT – 中文版 (publisher: WhenSunset, 1.34 million installs)
ChatMoss (CodeMoss) (publisher: zhukunpeng, 150,000 installs)
Koi says that both are part of the “MaliciousCorgi” campaign and that they were both sending the stolen data to the same server.
To exfiltrate the data, they used three distinct mechanisms, it was clarified. The first is to monitor files opened in the VS Code client in real time. As soon as the victim opens a file, its contents are Base64 encoded and relayed to the servers.
“The moment you open a file – without interacting with it, just open it – the extension reads all of its contents, Base64 encodes it, and sends it to a webview containing a hidden tracking iframe. Not 20 lines. The entire file,” the researchers explained.
The second mechanism is a server-controlled command that stealthily sends up to 50 files from the victim’s workspace, while the third is a zero-pixel iframe in the extension’s webview where the business analytics SDKs are loaded. These SDKs track user behavior, create identity profiles, and monitor other activities.
Microsoft said BeepComputer he was investigating the situation, but the add-ons are still available for download.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
