Home | My Feed | Saved Stories | About | Privacy
Back

Malicious VS Code Extension Impersonates AI Assistant, Delivers Remote Access Malware

Show me the source 1 Sources
Generated on: Last updated:

Malicious VS Code Extension Targets Moltbot Users, Exposes Broader Security Risks

Cybersecurity researchers have identified a malicious Microsoft Visual Studio Code (VS Code) extension, "ClawdBot Agent - AI Coding Assistant" (clawdbot.clawdbot-agent), for Moltbot (formerly Clawdbot) on the official Extension Marketplace. Posing as a free artificial intelligence (AI) coding assistant, the extension delivered a malicious payload to compromised hosts. Microsoft has since removed the extension, which was published on January 27, 2026.

Moltbot is an open-source project designed to enable users to run a personal AI assistant locally and interact with it across various communication platforms like WhatsApp, Telegram, and Slack. Significantly, Moltbot does not have a legitimate VS Code extension, indicating that threat actors leveraged the tool's popularity for their malicious activities.

"ClawdBot Agent" Functionality

The malicious extension was configured to execute automatically upon the VS Code IDE launch. It began by retrieving a "config.json" file from an external server ("clawdbot.getintwopc[.]site") to execute a binary named "Code.exe." This binary proceeded to deploy a legitimate remote desktop program, ConnectWise ScreenConnect. The application then connected to "meeting.bulletmailer[.]net:8041," thereby establishing persistent remote access for the attacker.

According to Aikido researcher Charlie Eriksen, attackers set up their own ScreenConnect relay server and distributed a pre-configured client installer through the VS Code extension. The client immediately connected to the attacker's infrastructure upon installation.

Multi-Layered Payload Delivery

The extension incorporated fallback mechanisms to ensure payload delivery even if primary channels were disrupted.

  • A DLL named "DWrite.dll," written in Rust, was retrieved from Dropbox via sideloading. This ensured the ScreenConnect client's delivery even if the primary command-and-control (C2) infrastructure became inaccessible.
  • Hard-coded URLs were embedded within the extension to retrieve both the executable and the DLL.
  • A batch script was included as a second alternative method to obtain payloads from a different domain ("darkgptprivate[.]com").

Broader Moltbot Security Vulnerabilities

Beyond the malicious extension, security researcher Jamieson O'Reilly reported finding hundreds of unauthenticated Moltbot instances online. These instances exposed critical data, including configuration data, API keys, OAuth credentials, and private chat histories.

Risks associated with this exposure include:

  • Attacker impersonation of the operator to contacts.
  • Message injection into ongoing conversations.
  • Modification of agent responses.
  • Exfiltration of sensitive data.
  • Potential supply chain attacks through the distribution of a backdoored Moltbot "skill" via MoltHub.

Intruder also observed widespread misconfigurations leading to credential exposure, prompt injection vulnerabilities, and compromised instances across multiple cloud providers.

Intruder security engineer Benjamin Marr stated that Moltbot's architecture prioritizes ease of deployment over secure-by-default configuration, allowing non-technical users to integrate sensitive services without security validation.

Recommendations for Moltbot Users

Users running Moltbot with default configurations are strongly advised to take immediate action:

  • Audit their configuration for any vulnerabilities.
  • Revoke all connected service integrations and API keys.
  • Review exposed credentials for potential compromise.
  • Implement network controls to restrict access to Moltbot instances.
  • Monitor for signs of compromise on their systems and Moltbot instances.