Two coding‑assistant add‑ons exfiltrate source code and telemetry to China‑based servers, affecting about 1.5m installs.

Two AI‑powered extensions listed on Microsoft’s Visual Studio Code (VS Code) Marketplace have been found exfiltrating developers’ data to China‑based servers, affecting roughly 1.5m installations in total.

The add‑ons, presented as legitimate coding‑assistant tools, quietly upload sensitive project files and user‑behavior telemetry while still providing the advertised AI features, making their malicious behavior harder to detect.

​Security researchers at Koi Security have identified the pair of extensions as part of a campaign for data theft. The extensions operate through three main mechanisms:

  • First, they monitor files opened in VS Code and send full file contents — encoded in Base64 — to attacker‑controlled infrastructure as soon as a file is accessed, not just when edited.
  • Second, they can execute a server‑driven command that silently pulls up to 50 additional files from the workspace on demand, expanding the scope of exposed code and configuration assets.
  • Third, the extensions embed a zero‑pixel iframe inside their webview to load four commercial analytics SDKs — Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics — which track user actions, build device fingerprints, and profile developer behavior within the editor. This combination exposes not only source code but also configuration files, cloud‑service credentials, and environment variables such as .env files containing API keys and secrets. The publishers of the malicious extensions do not disclose this upload behavior or seek explicit consent, violating transparency expectations for marketplace‑listed tools.

​The VS Code Marketplace has become a prime vector for such attacks because AI‑assistant extensions are now among the most popular categories, and are often granted broad workspace access.

Microsoft has since acknowledged the report and stated it was investigating, and would act according to its internal policies, although the extensions have already amassed a large install base. The episode underscores the need for stricter vetting, clearer permission prompts, and more granular telemetry controls for AI‑powered developer extensions.