Two malicious Microsoft Visual Studio Code (VS Code) extensions have been found by cybersecurity researchers This article explores code extensions cybersecurity. . These extensions are marketed as AI-powered coding assistants, but they also contain hidden features that allow developer data to be siphoned to servers located in China.

The extensions can still be downloaded from the official Visual Studio Marketplace and have a total of 1.5 million installs. 1,340,869 installs of ChatGPT (ID: whensunset.chatgpt-china) and 151,751 installs of ChatMoss (ID: zhukunpeng.chat-moss) According to Koi Security, the extensions are functional and perform as intended, but they also record all file openings and source code modifications to servers in China without the users' knowledge or consent. MaliciousCorgi is the code name for the campaign.

"Both contain identical malicious code -- the same spyware infrastructure running under different publisher names," stated Tuval Admoni, a security expert. The fact that the extensions function precisely as promised—offering autocomplete suggestions and clarifying coding errors—makes the activity especially risky. This prevents any red flags from being raised and lowers users' suspicions.

Simultaneously, the embedded malicious code is made to read every file that is opened, encode it in Base64 format, and send it to a Chinese server ("aihao123[.]cn"). Every edit initiates the process. Additionally, the extensions include a real-time monitoring feature that allows the server to remotely trigger the exfiltration of up to 50 files in the workspace.

A hidden zero-pixel iframe that loads four commercial analytics software development kits (SDKs) to fingerprint the devices and generate comprehensive user profiles is also included in the extension's web view. Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics—all significant Chinese data analytics platforms—are the four SDKs utilized. ## JavaScript Package Managers Are Affected by PackageGate Issues The disclosure comes as the supply chain security company said it identified six zero-day vulnerabilities in JavaScript package managers like npm, pnpm, vlt, and Bun that could be exploited to defeat security controls put in place to skip the automatic execution of lifecycle scripts during package installation.

PackageGate is the collective name for the defects.

Defenses like committing lockfiles ("package-lock.json") and disabling lifecycle scripts ("--ignore-scripts") have become essential tools to combat supply chain attacks, particularly in the wake of Shai-Hulud, which uses postinstall scripts to propagate like a worm in order to steal npm tokens and publish malicious versions of the packages to the registry. Nevertheless, Koi discovered that the four package managers' lockfile integrity checks and script execution can be circumvented. The problems have been fixed in pnpm (version 10.26.0), vlt (version 1.0.0-rc.10), and Bun (version 1.3.5) after responsible disclosure.

The two vulnerabilities are being monitored by Pnpm as CVE-2025-69264 (CVSS score: 8.8) and CVE-2025-69263 (CVSS score: 7.5).

However, Npm has decided not to address the vulnerability, citing the fact that "users are responsible for vetting the content of packages that they choose to install." "The standard advice, disable scripts and commit your lockfiles, is still worth following," stated security researcher Oren Yomtov. The Hacker News has contacted npm/GitHub for additional comment, and we will update the story if we hear back.

However, it's not the whole picture. Organizations must make their own well-informed risk decisions until PackageGate is completely resolved.