Cybersecurity researchers have flagged a new malicious Microsoft Visual Studio Code (VS Code) extension for Moltbot (formerly Clawdbot) on the official Extension Marketplace. The extension claims to offer a free artificial intelligence (AI) coding assistant; however, it secretly drops a malicious payload on compromised hosts.
Specifically, the extension, named “ClawdBot Agent – AI Coding Assistant” (“clawdbot.clawdbot-agent”), appeared on the marketplace on January 27, 2026 under a publisher account called “clawdbot.” Shortly after researchers exposed its behavior, Microsoft removed the extension from the platform.
Moltbot’s Rapid Growth Attracts Threat Actors
Meanwhile, Moltbot has surged in popularity, surpassing 85,000 stars on GitHub at the time of writing. Austrian developer Peter Steinberger created the open-source project to let users run a personal AI assistant powered by a large language model (LLM) locally on their own devices. In addition, the tool supports interactions over established communication platforms such as WhatsApp, Telegram, Slack, Discord, Google Chat, Signal, iMessage, Microsoft Teams, and WebChat.
Most importantly, Moltbot does not offer a legitimate VS Code extension. As a result, the threat actors behind this campaign exploited the tool’s growing popularity to deceive unsuspecting developers into installing a fraudulent plugin.
Once installed, the malicious extension automatically executes every time the integrated development environment (IDE) launches. During execution, it quietly retrieves a file named “config.json” from an external server (“clawdbot.getintwopc[.]site”) and uses it to run a binary called “Code.exe”, which installs a legitimate remote desktop application such as ConnectWise ScreenConnect.
Subsequently, the application connects to “meeting.bulletmailer[.]net:8041”, which gives the attacker persistent remote access to the compromised system.
“The attackers set up their own ScreenConnect relay server, generated a pre-configured client installer, and distributed it through the VS Code extension,” Aikido researcher Charlie Eriksen said. “When victims install the extension, they get a fully functional ScreenConnect client that immediately phones home to the attacker’s infrastructure.”
In addition, the extension includes a fallback mechanism designed to maintain persistence. It retrieves a DLL listed in “config.json” and sideloads it to fetch the same payload from Dropbox. The DLL, named “DWrite.dll”, uses Rust and ensures delivery of the ScreenConnect client even if the command-and-control (C2) infrastructure becomes unavailable.
“Deeper payload analysis suggests the attacker anticipated failures, and several delivery methods don’t work reliably,” Eriksen told The Hacker News. “That said, it appears that ‘code.exe’ loads ‘DWrite.dll’ [using DLL side-loading], and when both are in the same directory, the malicious DLL would likely be loaded by default.”
Beyond this, the attackers embedded additional backup mechanisms into the extension. The fake Moltbot plugin hard-codes URLs to download both the executable and the sideloaded DLL. Moreover, a second alternative method relies on a batch script that retrieves the payloads from another domain (“darkgptprivate[.]com”).
Exposure Through Misconfigurations
At the same time, security researcher and Dvuln founder Jamieson O’Reilly uncovered hundreds of unauthenticated Moltbot instances exposed online. These instances leaked configuration data, API keys, OAuth credentials, and private chat histories due to a “classic” reverse proxy misconfiguration.
This exposure stems from Moltbot automatically approving “local” connections while deployments behind reverse proxies incorrectly treat internet connections as local. Consequently, the system trusts and auto-approves unauthenticated access.
“The real problem is that Clawdbot agents have agency,” O’Reilly explained. “They can send messages on behalf of users across Telegram, Slack, Discord, Signal, and WhatsApp. They can execute tools and run commands.”
As a result, attackers can impersonate operators, inject messages into active conversations, alter agent responses, and exfiltrate sensitive data without detection. Even more concerning, attackers could distribute a backdoored Moltbot “skill” through MoltHub (formerly ClawdHub) to launch supply chain attacks and siphon sensitive information.
Similarly, Intruder reported widespread misconfigurations that expose credentials, enable prompt injection vulnerabilities, and compromise Moltbot instances across multiple cloud providers.
“The core issue is architectural: Clawdbot prioritizes ease of deployment over secure-by-default configuration,” Benjamin Marr, security engineer at Intruder, said. “Non-technical users can spin up instances and integrate sensitive services without encountering any security friction or validation. There are no enforced firewall requirements, no credential validation, and no sandboxing of untrusted plugins.”
Given these risks, experts recommend that users running Clawdbot with default settings audit their configurations, revoke all connected integrations, rotate exposed credentials, apply network controls, and actively monitor for signs of compromise.
Growing Enterprise Concerns Around it’s Usage
Finally, 1Password, Hudson Rock, and Token Security have also warned about the dangers associated with Moltbot usage. They noted that the Platform’s “deep, Unapologetic access” to sensitive enterprise systems on Unmanaged personal devices outside the security Perimeter can turn into “high-impact control points” when Misconfigured.
Token Security revealed that 22% of its customers have employees actively using Clawdbot within their organizations. The firm added that Moltbot’s lack of Sandboxing and its Reliance on Plaintext storage for “memories” and Credentials make it an Appealing target for Attackers seeking corporate data.
“If an attacker compromises the same machine you run MoltBot on, they do not need to do anything fancy,” 1Password said. “Modern infostealers scrape common directories and exfiltrate anything that looks like credentials, tokens, session logs, or developer config. If your agent stores in plain-text API keys, webhook tokens, transcripts, and long-term memory in known locations, an infostealer can grab the whole thing in seconds.”
Hudson Rock further Observed “specific adaptations in major Malware-as-a-service (MaaS) families” such as RedLine, Lumma, and Vidar that actively target these Directory structures.
“For infostealers, this data is unique. It isn’t just about stealing a password; it is about Cognitive Context Theft,” the company said. “The threat is not just exfiltration; it is Agent Hijacking. If an attacker gains write access (e.g., via a RAT deployed alongside the stealer), they can engage in ‘Memory Poisoning.’”
Source: TheHackerNews
Read more at Impreza News
