VS Code and Browser Extension Malware Targets Developers Through AI Tools and Stanley Kit

Du'aine Davis · 2026-01-27T11:39:23+00:00

Observed in the wild * MaliciousCorgi, a campaign discovered in January 2025, deployed malicious VS Code extensions disguised as AI coding assistants (including "ChatGPT – 中文版" and "ChatMoss (CodeMoss)") that infected approximately 1.5 million developers globally. Separately, the Stanley malware kit has been active since…

Du'aine Davis

Observed in the wild

MaliciousCorgi, a campaign discovered in January 2025, deployed malicious VS Code extensions disguised as AI coding assistants (including "ChatGPT – 中文版" and "ChatMoss (CodeMoss)") that infected approximately 1.5 million developers globally. Separately, the Stanley malware kit has been active since 2023, targeting developers through trojanised extensions. Both campaigns exfiltrated sensitive data including authentication tokens, cookies, session credentials, clipboard contents, and source code from platforms like GitHub, GitLab, and AWS.
MaliciousCorgi extensions masqueraded as legitimate AI productivity tools on Chrome Web Store and Edge Add-ons, using obfuscated JavaScript to steal credentials and inject malicious code into GitHub repositories for supply chain attacks. Stanley operators employed phishing sites mimicking legitimate services, SEO poisoning, and malvertising to distribute extensions that captured keystrokes, screenshots, and credential data. Both campaigns utilised command-and-control infrastructure to exfiltrate stolen data to attacker-controlled servers.
Organisations should audit, restrict, and continuously monitor both VS Code extensions and browser extensions, as each represents a viable attack surface. Particular attention should be paid to AI‑themed coding tools and productivity add‑ons across both platforms. Enable Microsoft Defender browser extension controls and SmartScreen filtering to limit exposure to malicious or untrusted extensions. Enforce application control policies to prevent unauthorised extension installation in development environments and browsers alike. Monitor for anomalous authentication behaviour, unauthorised repository access, and data exfiltration attempts.

Malicious VS Code AI Extensions Harvesting Code from 1.5M Devs

Stanley — A $6,000 Russian Malware Toolkit with Chrome Web Store Guarantee

Find more posts tagged with

Threat Landscape

Sign in to participate and unlock exclusive content 🔓

It looks like you're new here! Sign in or register to be able to comment, access member-only content and follow the spaces relevant to you.

Comments

Du'aine Davis

Malicious “AI Assistant” Extensions Target 260k Chrome Users

Observed in the wild

In a coordinated campaign disclosed in February, over 30 malicious Chrome extensions masquerading as AI assistants impacted 260,000+ users. Some were even Featured in the Chrome Web Store, increasing trust and adoption. Enterprise users were particularly exposed due to access to authenticated internal and Gmail content.
A single threat actor used extension spraying and remote iframe injection, embedding full‑screen iframes controlled by attacker servers (tapnetic[.]pro). Core logic executed remotely, enabling silent capability changes post‑installation. Extensions extracted web page and Gmail content, enabled voice capture, and exfiltrated data via consistent C2 infrastructure, evading store‑based review and takedowns.
Organisations are advised to audit and restrict browser extensions via policy, prioritising those loading remote iframes or mutable backends. Using Microsoft Defender for Endpoint, monitor suspicious extension network traffic, DOM injection into Gmail, and anomalous data exfiltration.

“AiFrame”- Fake AI Assistant Extensions Targeting 260,000 Chrome Users via injected iframes - LayerX

Du'aine Davis

Vulnerabilities in Four Popular VS Code Extension Expose Developer Endpoints

Observed in the wild

In February, OX Security identified four vulnerabilities in widely trusted VS Code IDE extensions (Live Server, Code Runner, Markdown Preview Enhanced and Microsoft Live Preview), impacting 120M+ installations. Developers and organisations using VS Code‑based IDEs (including Cursor and Windsurf) were exposed to local file theft, code execution and lateral movement, turning developer endpoints into a supply‑chain weak point.
The attack paths rely on malicious webpages, crafted Markdown files, or social‑engineering that abuse extensions’ over‑permissive access to localhost, files and configuration settings. Exploitation requires no malicious extension, only a flaw in a legitimate one, enabling file exfiltration, JavaScript execution, port scanning and RCE, often triggered by a single click or preview action.
Organisations are advised to remove or update vulnerable extensions, enforcing strict extension allow‑listing, and monitoring developer endpoints as high‑risk assets. Organisations should also ensure Defender for Endpoint is enabled on developer devices, with detections tuned to identify suspicious localhost communications, abnormal child processes spawned by VS Code, and unexpected file access or data exfiltration.

IDE Extension Vulnerabilities Expose Massive Security Blind Spot

Du'aine Davis

See what's trending

Click on a tag to discover all the published content related to it.