Malicious AI-Powered VS Code Extensions Steal Developer Credentials

Security researchers have uncovered multiple malicious Visual Studio Code extensions posing as AI-powered coding assistants. These extensions were designed to harvest sensitive data, including API keys, authentication tokens, and proprietary source code.

Once installed, the extensions monitored developer activity, intercepted clipboard contents, and transmitted collected data to attacker-controlled servers. Because VS Code extensions operate with extensive permissions, malicious plugins can bypass many traditional security controls.

The incident highlights a growing trend where attackers exploit trust in AI tools and developer ecosystems. As AI-assisted coding becomes more popular, threat actors are increasingly disguising malware as productivity-enhancing plugins.

Experts warn that compromised developer environments can have cascading effects, enabling supply-chain attacks and unauthorized access to production systems. Organizations are advised to restrict extension installation, audit development environments, and educate developers about emerging threats.

This case reinforces the need for stronger marketplace vetting and proactive monitoring of developer tooling.