Incident · malware · fake extension

Fake VS Code extension claiming to be Moltbot

Security researchers reported a malicious VS Code extension that claimed to be a Moltbot/Clawdbot coding assistant, but delivered a remote-access payload.

Action: If you installed a suspicious extension, treat your machine as compromised until proven otherwise.

What reports say (high level)

Extension was listed in the VS Code Marketplace and later removed (per reports).
It downloaded additional payload/config and attempted to establish remote access.
Attackers capitalized on Moltbot popularity; reports note there was no legitimate extension.

What to do now

Remove the extension

Uninstall and check for persistence.

Rotate tokens

Assume credentials may have been harvested.

Secrets hygiene →

Rebuild from clean state

A clean reinstall/snapshot rollback can be faster than manual cleanup.

Update safely → Run AutoCheck →

Sources

The Hacker News: Fake Moltbot AI Coding Assistant on VS Code Marketplace

Back to incidents →