MaliciousCorgi: AI Extensions send your code to China
2 days ago
- #spyware
- #AI-tools
- #cybersecurity
- AI coding assistants are widely used but some contain malicious spyware.
- MaliciousCorgi campaign involves two VS Code extensions with 1.5 million combined installs.
- Extensions function as AI assistants but also secretly harvest files and user data.
- Three hidden data collection channels: real-time file monitoring, mass file harvesting, and user profiling.
- Extensions send entire file contents, edits, and workspace data to servers in China without consent.
- Server-controlled backdoor can trigger mass file exfiltration without user interaction.
- User profiling includes tracking behavior, identity, and company information via analytics SDKs.
- Risk includes exposure of API keys, credentials, proprietary code, and business logic.
- Extensions remain in the marketplace despite their malicious functionality.
- Koi offers solutions to analyze and block malicious extensions while maintaining productivity.