Malicious Fake Moltbot VS Code Extension Found Dropping Remote Access Malware

Cybersecurity researchers have uncovered a fake Moltbot (formerly Clawdbot) Visual Studio Code extension that posed as an AI coding assistant but secretly installed malware, giving attackers persistent remote access. The extension was removed from the official VS Code Marketplace after discovery.

Cyber Security News Jan 29, 2026 0 28 Add to Reading List

Malicious Fake Moltbot VS Code Extension Found Dropping Remote Access Malware

Cybersecurity researchers have identified a malicious Visual Studio Code (VS Code) extension that falsely claimed to be an AI-powered coding assistant for Moltbot (formerly known as Clawdbot). The extension, named “ClawdBot Agent – AI Coding Assistant”, was briefly available on Microsoft’s official VS Code Extension Marketplace before being taken down.

The extension was published on January 27, 2026, by a user named clawdbot. While it advertised itself as a free AI coding tool, it secretly executed malicious actions in the background, putting developers’ systems at serious risk.

Importantly, Moltbot does not have any official VS Code extension. Attackers exploited the project’s growing popularity—over 85,000 GitHub stars—to trick users into installing the fake plugin.

How the Attack Worked

Once installed, the malicious extension automatically executed every time VS Code was launched. It downloaded a remote configuration file and used it to run a hidden executable that installed a legitimate remote desktop tool, ConnectWise ScreenConnect.

This allowed attackers to gain persistent remote access to infected machines by connecting to attacker-controlled infrastructure. Even if the primary server was unavailable, the extension included multiple fallback delivery methods, including:

DLL sideloading using a malicious Rust-based DLL
Hard-coded backup URLs
Payload delivery via external services such as Dropbox

These techniques ensured the malware could still be deployed even if some attack paths failed.

Broader Moltbot Security Risks

In a related discovery, security researchers found hundreds of exposed Moltbot instances online due to misconfigured reverse proxies. These exposed instances leaked sensitive data such as:

API keys and OAuth tokens
Configuration files
Private conversation histories

Because Moltbot agents can send messages, execute commands, and interact across platforms like WhatsApp, Telegram, Slack, Discord, and Signal, attackers could potentially impersonate users, manipulate conversations, or exfiltrate sensitive information without detection.

Industry Warnings

Security firms including 1Password, Hudson Rock, and Token Security have warned that Moltbot’s lack of sandboxing, plaintext credential storage, and ease of deployment make it an attractive target for attackers. Malware families such as RedLine, Lumma, and Vidar are reportedly adapting to specifically target Moltbot data directories.