"Koi Security said the extensions are functional and work as expected, but they also capture every file being opened and every source code modification to servers located in China without users' knowledge or consent. The campaign has been codenamed MaliciousCorgi. "Both contain identical malicious code -- the same spyware infrastructure running under different publisher names," security researcher Tuval Admoni said."
"What makes the activity particularly dangerous is that the extensions work exactly as advertised, providing autocomplete suggestions and explaining coding errors, thereby avoiding raising any red flags and lowering the users' suspicion. At the same time, the embedded malicious code is designed to read all of the contents of every file being opened, encode it in Base64 format, and send it to a server located in China ("aihao123[.]cn"). The process is triggered for every edit."
"The extensions also incorporate a real-time monitoring feature that can be remotely triggered by the server, causing up to 50 files in the workspace to be exfiltrated. Also present in the extension's web view is a hidden zero-pixel iframe that loads four commercial analytics software development kits (SDKs) to fingerprint the devices and create extensive user profiles. The four SDKs used are Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics, all of which are major data analytics platforms based i"
Two malicious Visual Studio Code extensions—ChatGPT - 中文版 (whensunset.chatgpt-china) and ChatGPT - ChatMoss(CodeMoss)(zhukunpeng.chat-moss)—have about 1.5 million combined installs and remain available on the Visual Studio Marketplace. The extensions operate as advertised but covertly capture every opened file and every source-code modification, encoding contents in Base64 and sending them to a China-based server (aihao123[.]cn) on each edit. The extensions share identical spyware infrastructure under different publisher names. A server-controlled real-time trigger can exfiltrate up to 50 workspace files. A hidden zero-pixel iframe loads four analytics SDKs (Zhuge.io, GrowingIO, TalkingData, Baidu Analytics) to fingerprint devices and build user profiles.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]