Fake Moltbot AI Coding Assistant on VS Code Marketplace Drops Malware
30.01.2026
16808
A fake VS Code extension posing as a Moltbot AI assistant installed ScreenConnect malware, giving attackers persistent remote access to developer systems.
Fake Moltbot AI Coding Assistant on VS Code Marketplace Drops Malware
Yikes, devs. A fake VS Code extension posing as a Moltbot AI assistant just got caught dropping ScreenConnect malware, giving attackers persistent remote access to developer systems. This is a classic supply chain attack hitting right where you code.
The malicious extension was discovered on the official VS Code Marketplace, masquerading as a legitimate AI coding assistant called Moltbot. Once installed, it silently deployed ScreenConnect (now ConnectWise Control) malware, creating a backdoor for attackers to maintain persistent remote access to infected developer machines.
This isn't just another sketchy extension—it's a sophisticated supply chain attack targeting developers through their trusted tools. The attackers leveraged the credibility of the VS Code Marketplace to distribute their malware, exploiting the trust developers place in official repositories.
ScreenConnect malware is particularly dangerous because it provides attackers with full remote control capabilities, allowing them to execute commands, steal data, and maintain persistence even after system reboots. This gives threat actors a powerful foothold in developer environments, potentially compromising sensitive code, credentials, and intellectual property.
The discovery highlights the growing threat of supply chain attacks targeting developer tools and ecosystems. As AI coding assistants become more popular, attackers are creating convincing fake versions to infiltrate development environments. This incident serves as a stark reminder to verify extensions carefully, even when they come from official marketplaces.
Security researchers recommend developers to: 1) Verify extension publishers and check reviews before installation, 2) Monitor for unusual network activity or system behavior, 3) Keep security software updated, and 4) Report suspicious extensions immediately to marketplace administrators.
- • Fake Moltbot AI assistant extension on VS Code Marketplace
- • Deploys ScreenConnect (ConnectWise Control) malware
- • Provides attackers with persistent remote access
- • Targets developers through supply chain attack
- • Highlights risks in official extension marketplaces
- • ScreenConnect malware enables full system control
- • Can steal code, credentials, and intellectual property
- • Growing threat of AI tool impersonation attacks
#VS Code extensions#supply chain attacks#malware#remote access
Got a topic? Write to ATLA WIRE on Telegram:t.me/atla_community
