The malicious VS Code extension named "ClawdBot Agent - AI Coding Assistant" masqueraded as a legitimate AI coding assistant related to the open-source Moltbot project, which itself does not have an official VS Code extension. Published on January 27, 2026, by an attacker-controlled account, the extension was designed to execute automatically upon IDE startup. It stealthily downloaded a "config.json" file from a malicious domain (clawdbot.getintwopc[.]site), which contained instructions to execute a binary named "Code.exe." This binary deployed a legitimate remote desktop software, ConnectWise ScreenConnect, configured to connect to an attacker-controlled relay server (meeting.bulletmailer[.]net:8041), granting persistent remote access to the infected machine. To ensure resilience, the extension included fallback mechanisms such as sideloading a Rust-written DLL named "DWrite.dll" from Dropbox and using batch scripts to retrieve payloads from an alternate domain (darkgptprivate[.]com). These redundancies ensured payload delivery even if primary C2 servers were taken down. The attackers leveraged the popularity of Moltbot, an AI assistant enabling local LLM interactions over multiple messaging platforms, to deceive developers into installing the malicious extension. Beyond the extension, researchers discovered that many Moltbot instances were misconfigured, exposing sensitive data like API keys, OAuth credentials, and private chat histories. Since Moltbot agents can send messages and execute commands on behalf of users across platforms like Telegram, Slack, Discord, and WhatsApp, compromised instances could be used to impersonate users, inject malicious messages, exfiltrate data, and distribute backdoored plugins via MoltHub, enabling supply chain attacks. The root cause is Moltbot's architecture prioritizing ease of deployment over security, lacking enforced firewall rules, credential validation, and sandboxing, which facilitates widespread misconfigurations and compromises across cloud providers. Microsoft has removed the malicious extension from the marketplace, but the threat underscores risks in open-source AI tooling ecosystems and supply chain security.

European organizations, particularly software development firms and enterprises relying on Visual Studio Code and AI-assisted coding tools, face significant risks from this threat. The malicious extension enables attackers to gain persistent remote access to developer workstations, potentially leading to intellectual property theft, insertion of malicious code into software projects, and lateral movement within corporate networks. The stealthy nature of the payload delivery and fallback mechanisms complicate detection and remediation efforts. Furthermore, compromised Moltbot instances can lead to unauthorized access to sensitive communications and credentials across multiple messaging platforms widely used in Europe, increasing the risk of data breaches and reputational damage. Supply chain attacks via backdoored Moltbot plugins could propagate malware to downstream users and customers, amplifying the impact. The exposure of OAuth tokens and API keys can also facilitate further compromise of cloud services and internal systems. Given the widespread adoption of VS Code and the growing interest in AI coding assistants in European tech sectors, the threat could disrupt development workflows and undermine trust in open-source AI tools.

European organizations should immediately audit their installed VS Code extensions to identify and remove any unauthorized or suspicious plugins, especially those claiming to be AI coding assistants related to Moltbot or ClawdBot. Implement strict extension whitelisting policies and use enterprise management tools to control extension installation. Conduct thorough reviews of Moltbot instances if deployed internally, including revoking all connected service integrations, rotating exposed credentials, and enforcing network segmentation and firewall rules to restrict outbound connections from developer machines. Monitor network traffic for connections to known malicious domains (e.g., clawdbot.getintwopc[.]site, meeting.bulletmailer[.]net, darkgptprivate[.]com) and unusual ScreenConnect client activity. Employ endpoint detection and response (EDR) solutions capable of detecting DLL sideloading and unauthorized remote desktop software installations. Educate developers about the risks of installing unverified extensions and the importance of verifying extension publishers. For organizations using Moltbot, enforce secure-by-default configurations, including credential validation, sandboxing untrusted plugins, and applying least privilege principles. Regularly update and patch development environments and monitor for indicators of compromise. Collaborate with security teams to conduct threat hunting focused on this attack vector and share intelligence with industry peers to improve collective defense.