- Severity
- critical
- Records
- 1,500,000
- Vector
- Supply Chain — malicious VS Code marketplace extensions
- Organization
- Multiple Organizations
- Incident Date
- 2026-01-15
What Happened
Security researchers discovered two malicious Visual Studio Code extensions—ChatMoss and ChatGPT中文版 (ChatGPT Chinese Version)—with a combined 1.5 million installations were systematically exfiltrating source code, API keys, and proprietary algorithms to servers in China while functioning as legitimate AI coding assistants.
Incident overview
| Attribute | Details |
|---|
| Extensions | ChatMoss, ChatGPT中文版 |
| Combined installs | 1,500,000 |
| Data destination | China-based servers |
| Disguise | AI coding assistants |
| Attack type | Supply chain / data exfiltration |
| Discovery | February 2026 |
| Affected | Developers across enterprise, startup, open-source |
Malicious extensions
ChatMoss
| Attribute | Details |
|---|
| Function | AI coding assistant |
| Installs | ~750,000 (estimated) |
| Behavior | Code exfiltration, behavioral tracking |
ChatGPT中文版
| Attribute | Details |
|---|
| Function | Chinese-language ChatGPT integration |
| Installs | ~750,000 (estimated) |
| Target audience | Chinese-speaking developers |
| Behavior | Code exfiltration, analytics collection |
Data exfiltration methods
Three-channel architecture
| Channel | Purpose |
|---|
| Code context | Autocomplete sends code to external servers |
| Analytics tracking | Zero-pixel iframe loads Chinese analytics |
| File access | Direct exfiltration of source files |
| Platform | Type |
|---|
| Zhuge.io | Chinese analytics |
| GrowingIO | Chinese analytics |
| TalkingData | Chinese analytics |
| Baidu Analytics | Chinese analytics |
The extensions embedded a “ChatMoss Data Tracking” interface that profiled developer behavior, device fingerprints, and workspace activity.
Data stolen
Source code
| Data type | Status |
|---|
| Code snippets | Exfiltrated |
| Complete files | Exfiltrated |
| Proprietary algorithms | Exfiltrated |
| Project structures | Exfiltrated |
Credentials
| Data type | Status |
|---|
| API keys | Exfiltrated |
| Authentication tokens | Exfiltrated |
| Environment variables | Potentially exposed |
| Secrets in code | Exfiltrated |
Behavioral data
| Data type | Status |
|---|
| Device fingerprints | Collected |
| Workspace activity | Tracked |
| Coding patterns | Profiled |
| Project metadata | Collected |
Attack sophistication
Blended functionality
| Aspect | Implementation |
|---|
| Legitimate features | Working AI autocomplete |
| Malicious features | Data exfiltration |
| Detection evasion | Useful functionality masks theft |
The three-channel architecture indicates deliberate strategy to maximize data capture while avoiding detection by providing genuine value to users.
Impact assessment
Scope
| Factor | Assessment |
|---|
| Installations | 1.5 million |
| Organizations affected | Thousands |
| Data exposure | Source code, secrets, credentials |
| Investigation timeline | Months required |
Affected environments
| Environment | Risk |
|---|
| Enterprise | Proprietary code exposure |
| Startups | IP theft |
| Open source | Contributor credential theft |
| Individual developers | Personal project exposure |
VS Code marketplace trends
Growing threat
| Year | Malicious extensions detected |
|---|
| 2024 | 27 |
| 2025 (Jan-Oct) | 105 |
| 2026 | Trend continuing |
ReversingLabs noted a steady rise in suspicious uploads to the VS Code Marketplace throughout 2025.
| Priority | Action |
|---|
| Critical | Remove ChatMoss and ChatGPT中文版 extensions |
| Critical | Rotate all API keys and tokens |
| Critical | Audit repository access logs |
| High | Scan for China-based network connections |
| High | Review code for exposed secrets |
Credential rotation
| Credential type | Action |
|---|
| Cloud API keys | Regenerate immediately |
| Database credentials | Rotate |
| Service tokens | Revoke and reissue |
| SSH keys | Consider regeneration |
Network monitoring
| Indicator | Action |
|---|
| Connections to Chinese IPs | Block and investigate |
| Unusual outbound data | Alert and analyze |
| Extension network activity | Monitor all extensions |
Recommendations
For developers
| Priority | Action |
|---|
| Critical | Audit installed VS Code extensions |
| Critical | Remove extensions with suspicious permissions |
| High | Review extension publishers before install |
| High | Limit extension network access where possible |
| Medium | Use enterprise-approved extension lists |
For organizations
| Priority | Action |
|---|
| Critical | Inventory all developer tool extensions |
| Critical | Implement extension allowlisting |
| High | Deploy network monitoring for dev environments |
| High | Conduct forensic analysis of affected systems |
| Medium | Establish extension security review process |
For the industry
| Priority | Action |
|---|
| High | Improve marketplace security scanning |
| High | Require publisher verification |
| Medium | Implement extension permission transparency |
| Medium | Enable network activity visibility |
Context
This incident represents a sophisticated supply chain attack targeting the developer community at scale. By embedding data theft within genuinely useful AI coding assistants, the attackers achieved 1.5 million installations before detection.
The use of multiple Chinese analytics platforms and the “ChatMoss Data Tracking” interface suggests organized, deliberate data collection rather than opportunistic theft. The three-channel exfiltration architecture indicates significant development investment in avoiding detection.
For affected organizations, forensic investigation will require months to determine what proprietary code and credentials were exposed. The 1.5 million installation count means thousands of organizations across enterprise, startup, and open-source environments may have had sensitive data exfiltrated.
The broader trend is concerning: malicious VS Code extension detections increased nearly 4x from 2024 to 2025. As AI coding assistants become ubiquitous, they present an attractive attack vector—developers grant these tools deep access to their codebases, creating significant exposure if the tools are compromised.
Microsoft has intensified marketplace enforcement, but the fundamental challenge remains: useful functionality can mask malicious behavior, and developers tend to trust tools that improve their productivity. Defense requires both platform-level controls and developer awareness of supply chain risks.
