Lead
On January 27, 2026 a malicious Visual Studio Code extension impersonating Moltbot (branded as “ClawdBot Agent – AI Coding Assistant”) appeared on the official VS Code Marketplace and was later removed by Microsoft. The extension executed automatically when the IDE launched and fetched a configuration file that triggered installation of a ConnectWise ScreenConnect client, giving attackers persistent remote access to infected machines. Security researchers reported the package used multiple fallback mechanisms to ensure delivery even if the primary command-and-control infrastructure was disrupted. Microsoft has taken the extension down, and researchers urge developers to audit Moltbot deployments and exposed credentials.
Key Takeaways
- The extension, published under the publisher name “clawdbot” with ID “clawdbot.clawdbot-agent”, was posted to the VS Code Marketplace on January 27, 2026 and has since been removed by Microsoft.
- Moltbot (formerly Clawdbot) is a popular open-source local LLM assistant, noted to have crossed more than 85,000 GitHub stars; attackers exploited that popularity to mimic a legitimate add-on.
- The malicious package auto-runs on IDE start, downloads a remote “config.json” from clawdbot.getintwopc[.]site and launches a binary named “Code.exe” that installs a ScreenConnect client.
- The ScreenConnect client phones home to meeting.bulletmailer[.]net:8041 via an attacker-controlled relay, enabling persistent remote access to the host.
- Fallback delivery includes a Rust-written DLL named “DWrite.dll” sideloaded to fetch the same payload from Dropbox, plus hard-coded URLs and a batch-script option using darkgptprivate[.]com.
- Researchers recommend auditing configurations, revoking exposed API keys/OAuth tokens, removing unnecessary integrations, and monitoring for unexpected outbound connections to the identified domains.
Background
Moltbot, created by Austrian developer Peter Steinberger, is an open-source project that lets users run a personal AI assistant locally and connect it to messaging platforms like WhatsApp, Telegram, Slack, Discord, Google Chat, Signal, iMessage, Microsoft Teams and WebChat. Its ease of deployment and broad integration options helped it gain rapid adoption across developer communities and enterprises alike. The project recently surpassed 85,000 stars on GitHub, a sign of widespread interest but also an attractive target for impersonation and supply-chain abuse. Crucially, Moltbot has no official Visual Studio Code extension, leaving a naming gap that attackers exploited to present a convincing fake add-on to developers.
Separately, multiple security researchers have flagged insecure default deployments of Moltbot instances online. Those instances, when left reachable without authentication, can expose configuration files, API keys, OAuth credentials and chat histories — all of which multiply the impact of a malicious client or backdoored skill. Because Moltbot agents can send messages and execute tools on behalf of operators, a compromised instance can impersonate users and exfiltrate data across integrated platforms.
Main Event
The malicious extension is engineered to execute as soon as Visual Studio Code is opened. On launch it retrieves a remote file named “config.json” from clawdbot.getintwopc[.]site; that configuration references a binary named “Code.exe” which is then executed on the host. Analysis shows “Code.exe” deploys an unmodified ConnectWise ScreenConnect client preconfigured to connect to an attacker-run relay.
Once installed the ScreenConnect client connects to meeting.bulletmailer[.]net on port 8041, creating a persistent remote-access channel that allows the attacker to control the compromised system as if sitting at the console. Aikido researcher Charlie Eriksen described the operation as the extension distributing a preconfigured client that immediately phones home to attacker infrastructure.
The extension includes additional resilience mechanisms. It contains a Rust-built DLL dubbed “DWrite.dll” that can be sideloaded; the DLL fetches the same ScreenConnect payload from Dropbox if the primary C2 is unavailable. The package also embeds direct URLs to the executable and DLL, and a separate batch-script fallback that reaches out to darkgptprivate[.]com to retrieve payloads.
Analysis & Implications
This incident highlights two overlapping risks: supply-chain impersonation on trusted distribution platforms and insecure default deployments of popular open-source tooling. By publishing a convincingly named extension on the official Marketplace, attackers bypassed user suspicion and automated trust signals. Because the payload is a legitimate remote-desktop product (ScreenConnect) configured to the attacker’s relay, detection is more difficult: the software itself is not necessarily flagged as malicious by signature-based tools.
For operators of Moltbot instances the danger is multiplied. Researchers have found hundreds of unauthenticated Moltbot deployments exposing credentials and conversation logs; an attacker who controls a Moltbot instance or a widely used MoltHub skill can intercept messages, inject content into conversations, and harvest tokens or service keys for lateral movement. Supply-chain attacks could also be staged by distributing backdoored skills through MoltHub.
The broader enterprise risk is substantial. Remote-access tools with persistent connections can be used for data theft, credential harvesting and lateral exploration inside corporate networks. Because the extension initiated the installation locally via the IDE, compromised developer machines with privileged tokens or SSH keys could provide attackers access to source code, CI/CD pipelines and cloud accounts.
Comparison & Data
| Delivery Method | Primary Host / Domain | Payload | Notes |
|---|---|---|---|
| Primary config fetch | clawdbot.getintwopc[.]site | Code.exe (installs ScreenConnect) | Auto-exec on VS Code launch |
| DLL sideload | Dropbox (via DWrite.dll) | ScreenConnect payload | Rust-written DLL for resilience |
| Hard-coded fallback | darkgptprivate[.]com | Batch script to fetch payloads | Alternative domain for redundancy |
The table above distills the observed delivery chains. Each mechanism is designed to overcome interruptions to the others, increasing attacker persistence. That multi-pronged approach—direct fetch, DLL sideload, and scripted fallback—illustrates an operational emphasis on reliability rather than sophistication: the actors favored multiple simple channels to guarantee payload delivery.
Reactions & Quotes
Researchers and security teams rapidly published technical breakdowns and mitigation advice after the extension was removed. Their comments highlight the operational model and possible impacts.
“The attackers set up their own ScreenConnect relay server, generated a pre-configured client installer, and distributed it through the VS Code extension,”
Charlie Eriksen, Aikido researcher
Eriksen emphasized that victims received a fully functional client that immediately connected to attacker infrastructure, underscoring why the extension was effective despite using legitimate remote-access software.
“Clawdbot agents have agency: they can send messages across Telegram, Slack, Discord, Signal and WhatsApp and execute tools and commands,”
Jamieson O’Reilly, founder of Dvuln
O’Reilly’s observation about agent capability explains why exposed Moltbot instances and credentials magnify the threat: an attacker can act as the agent’s operator and abuse integrations to pivot or exfiltrate data.
“Non-technical users can spin up instances and integrate sensitive services without encountering security friction or validation,”
Benjamin Marr, Intruder
Marr warned that the project’s default posture favors ease of deployment over secure-by-default assumptions, creating an environment where misconfiguration can lead to significant exposures.
Unconfirmed
- Attribution of the campaign to a specific threat actor or group has not been publicly confirmed by law enforcement or coordinating CERTs.
- The total number of machines compromised via this extension before removal is not confirmed; estimates of impact vary across researcher reports.
- Whether additional malicious extensions using Moltbot-related names were published to other channels is still being investigated by multiple vendors.
Bottom Line
The malicious ClawdBot/”Moltbot”-named extension demonstrates how attackers can weaponize popularity and trust on official extension marketplaces to deliver persistent remote-access tooling. The payload in this incident used a legitimate remote-desktop product (ScreenConnect) configured to attacker infrastructure, coupled with DLL sideload and alternate domains to maximize delivery success.
Developers and organizations should assume that similarly named packages could reappear and must take immediate steps: remove unknown or untrusted VS Code extensions, audit Moltbot deployments and exposed keys, rotate credentials, and implement egress filtering and endpoint monitoring to detect anomalous connections to the domains identified above. Platform owners should also increase vetting and automated detection for publisher impersonation and unusual post-install behaviors to reduce the likelihood of repeat supply-chain impersonations.
Sources
- The Hacker News (news)