The discovery of a new malicious VS Code extension is another reminder that developer tools especially AI-driven ones are increasingly being abused by attackers. Security researchers recently uncovered a fake Moltbot VS Code extension malware campaign that made its way into Microsoft’s official Visual Studio Code Marketplace, quietly turning a supposed AI coding assistant into a backdoor.
At first glance, the extension appeared to be tied to Moltbot, also known as Clawdbot, and promised developers a free AI-powered coding experience. In reality, the Moltbot AI coding assistant malware installed a remote access component that allowed attackers to maintain long-term control over infected machines. Although Microsoft has removed the extension, the incident raises serious concerns about how much trust developers place in official extension marketplaces.
Turning Moltbot’s Popularity Into a VS Code Marketplace Supply Chain Attack
Moltbot’s rapid rise made it an easy target. The open-source project recently surpassed 85,000 stars on GitHub, attracting developers interested in running local AI agents. Built by Austrian developer Peter Steinberger, Moltbot allows users to operate a personal AI assistant and connect it with services such as WhatsApp, Telegram, Slack, Discord, Signal, Microsoft Teams, and iMessage.
What’s critical to understand is that Moltbot does not have an official Visual Studio Code extension. Attackers exploited that absence by publishing a fake extension called “ClawdBot Agent – AI Coding Assistant” (clawdbot.clawdbot-agent) on January 27, 2026. By copying familiar branding and positioning it as a productivity tool, the attackers successfully carried out a VS Code Marketplace supply chain attack without raising immediate suspicion.
This tactic reflects a broader trend: attackers increasingly impersonate popular open-source projects to reach highly trusted development environments.
How the Malicious VS Code Extension Operates Behind the Scenes
Once installed, the Clawdbot VS Code malware embeds itself into the normal development workflow. It automatically executes every time Visual Studio Code starts, ensuring persistence without requiring any additional user interaction.
The extension reaches out to an external server (clawdbot.getintwopc[.]site) to download a config.json file that dictates the next stage of execution. That configuration launches Code.exe, which installs ConnectWise ScreenConnect, a legitimate remote desktop tool widely used by IT support teams.
From a defender’s perspective, this is particularly dangerous. Because ScreenConnect is trusted software, its presence often doesn’t trigger alarms. Once installed, the client connects to meeting.bulletmailer[.]net:8041, silently granting attackers full remote access. This allows the malicious VS Code extension to remain hidden while blending into normal administrative traffic.
Security researcher Charlie Eriksen from Aikido noted that the attackers even operated their own ScreenConnect relay infrastructure, making the compromise immediate and reliable.
Multiple Backup Channels Ensure the Payload Is Delivered
The fake Moltbot VS Code extension malware was clearly built to survive takedowns. If its primary infrastructure goes offline, it seamlessly switches to alternate delivery methods.
One fallback involves downloading a Rust-based malicious DLL called DWrite.dll, which sideloads the ScreenConnect payload from Dropbox. The extension also contains hard-coded URLs that allow it to retrieve both the executable and the DLL directly. A separate backup mechanism uses a batch script to fetch the same payloads from darkgptprivate[.]com.
These layers of redundancy make the VS Code Marketplace supply chain attack far more resilient than typical malware campaigns.
Why Moltbot Deployments Carry Broader Security Risks
This incident also shines a light on wider security concerns around Moltbot itself. Security researcher Jamieson O’Reilly, founder of Dvuln, recently identified hundreds of Moltbot instances exposed online without authentication.
These exposed deployments leaked configuration files, API keys, OAuth credentials, and private conversation histories. Because Moltbot agents are designed to act on behalf of users, this dramatically raises the potential impact of compromise.
As O’Reilly explained, Clawdbot agents can send messages, execute commands, and impersonate users across multiple communication platforms—making them an attractive target for attackers.
In a worst-case scenario, a malicious Moltbot skill distributed through MoltHub could enable large-scale supply chain attacks without users realizing anything is wrong.
Structural Weaknesses and Misconfigurations
Additional research from security firm Intruder revealed widespread misconfigurations across Moltbot deployments in various cloud environments. Their findings included exposed credentials, prompt injection vulnerabilities, and publicly accessible instances with little or no access control.
According to Intruder security engineer Benjamin Marr, these issues stem from design choices. Moltbot emphasizes ease of deployment over secure-by-default configurations, offering no enforced firewall rules, credential validation, or sandboxing for untrusted plugins. While this lowers the barrier to entry, it also lowers the barrier for attackers.
What Developers Should Do Next
To reduce the risk of Clawdbot VS Code malware, If you use Moltbot or similar AI agents:
- Do not install unofficial IDE extensions claiming to support Moltbot or Clawdbot
- Audit all Moltbot configurations immediately
- Revoke and rotate API keys, OAuth tokens, and credentials
- Restrict network exposure using firewalls and access controls
- Monitor for remote access tools like ScreenConnect on developer machines
- Treat AI plugins and “skills” as untrusted code
For extension marketplaces, this incident underscores the urgent need for stricter publisher verification, behavioral scanning, and runtime telemetry.
Final Thoughts
The fake Moltbot VS Code extension malware campaign highlights how easily attackers can blend into trusted developer ecosystems. By abusing popular branding, legitimate software, and official marketplaces, they can compromise systems without drawing immediate attention.
As AI assistants become more deeply integrated into development workflows, VS Code Marketplace supply chain attacks are likely to increase. In this environment, convenience often comes at a hidden cost.
Sometimes, the most dangerous threats don’t look malicious at all—they look helpful.
