Cybersecurity researchers have flagged a new malicious Microsoft Visual Studio Code (VS Code) extension for Moltbot (formerly Clawdbot) on the official Extension Marketplace that claims to be a free artificial intelligence (AI) coding assistant, but stealthily drops a malicious payload on compromised hosts.
The extension, named “ClawdBot Agent – AI Coding Assistant” (“clawdbot.clawdbot-agent”), has since been taken down by Microsoft. It was published by a user named “clawdbot” on January 27, 2026.
Moltbot has taken off in a big way, crossing more than 85,000 stars on GitHub as of writing. The open-source project, created by Austrian developer Peter Steinberger, allows users to run a personal AI assistant powered by a large language model (LLM) locally on their own devices and interact with it over already established communication platforms like WhatsApp, Telegram, Slack, Discord, Google Chat, Signal, iMessage, Microsoft Teams, and WebChat.
The most important aspect to note here is that Moltbot does not have a legitimate VS Code extension, meaning the threat actors behind the activity capitalized on the rising popularity of the tool to trick unsuspecting developers into installing it.
The malicious extension is designed such that it’s automatically executed every time the integrated development environment (IDE) is launched, stealthily retrieving a file named “config.json” from an external server (“clawdbot.getintwopc[.]site”) to execute a binary named “Code.exe” that deploys a legitimate remote desktop program like ConnectWise ScreenConnect.
The application then connects to the URL “meeting.bulletmailer[.]net:8041,” granting the attacker persistent remote access to the compromised host.
“The attackers set up their own ScreenConnect relay server, generated a pre-configured client installer, and distributed it through the VS Code extension,” Aikido researcher Charlie Eriksen said. “When victims install the extension, they get a fully functional ScreenConnect client that immediately phones home to the attacker’s infrastructure.”
What’s more, the extension incorporates a fallback mechanism that retrieves a DLL listed in “config.json” and sideloads it to obtain the same payload from Dropbox. The DLL (“DWrite.dll”), written in Rust, ensures that the ScreenConnect client is delivered even if the command-and-control (C2) infrastructure becomes inaccessible.
“Deeper payload analysis suggests the attacker anticipated failures, and several delivery methods don’t work reliably,” Eriksen told The Hacker News, “That said, it appears that ‘code.exe’ loads ‘DWrite.dll’ [using DLL side-loading], and when both are in the same directory, the malicious DLL would likely be loaded by default.”
This is not the only backup mechanism incorporated into the extension for payload delivery. The fake Moltbot extension also embeds hard-coded URLs to get the executable and the DLL to be sideloaded. A second alternative method involves using a batch script to obtain the payloads from a different domain (“darkgptprivate[.]com”).
The Security Risks with Moltbot
The disclosure comes as security researcher and Dvuln founder Jamieson O’Reilly found hundreds of unauthenticated Moltbot instances online due to a “classic” reverse proxy misconfiguration, exposing configuration data, API keys, OAuth credentials, and conversation histories from private chats to unauthorized parties.
The issue stems from a combination of Moltbot auto-approving “local” connections and deployments behind reverse proxies causing internet connections to be treated as local – and therefore trusted and automatically approved for unauthenticated access.
“The real problem is that Clawdbot agents have agency,” O’Reilly explained. “They can send messages on behalf of users across Telegram, Slack, Discord, Signal, and WhatsApp. They can execute tools and run commands.”
This, in turn, opens the door to a scenario where an attacker can impersonate the operator to their contacts, inject messages into ongoing conversations, modify agent responses, and exfiltrate sensitive data without their knowledge. More critically, an attacker could distribute a backdoored Moltbot “skill” via MoltHub (formerly ClawdHub) to stage supply chain attacks and siphon sensitive data.
Intruder, in a similar analysis, said it has observed widespread misconfigurations leading to credential exposure, prompt injection vulnerabilities, and compromised instances across multiple cloud providers.
“The core issue is architectural: Clawdbot prioritizes ease of deployment over secure-by-default configuration,” Benjamin Marr, security engineer at Intruder, said in a statement. “Non-technical users can spin up instances and integrate sensitive services without encountering any security friction or validation. There are no enforced firewall requirements, no credential validation, and no sandboxing of untrusted plugins.”
Users who are running Clawdbot with default configurations are recommended to audit their configuration, revoke all connected service integrations, review exposed credentials, implement network controls, and monitor for signs of compromise.
Update
1Password, Hudson Rock, and Token Security have also raised potential dangers arising from using Moltbot, stating its “deep, unapologetic access” to sensitive enterprise systems on unmanaged personal devices outside of the security perimeter can become “high-impact control points” when they are misconfigured.
Token Security said 22% of its customers have employees actively using Clawdbot within their organizations, adding that the platform’s lack of sandboxing and its use of plaintext for storing “memories” and credentials make it an attractive target for attackers looking to steal sensitive corporate data.
“If an attacker compromises the same machine you run MoltBot on, they do not need to do anything fancy,” 1Password said. “Modern infostealers scrape common directories and exfiltrate anything that looks like credentials, tokens, session logs, or developer config. If your agent stores in plain-text API keys, webhook tokens, transcripts, and long-term memory in known locations, an infostealer can grab the whole thing in seconds.”
Hudson Rock also noted that it’s “seeing specific adaptations in major malware-as-a-service (MaaS) families” like RedLine, Lumma, and Vidar to target these directory structures for information theft.
“For infostealers, this data is unique. It isn’t just about stealing a password; it is about Cognitive Context Theft,” it said. “The threat is not just exfiltration; it is Agent Hijacking. If an attacker gains write access (e.g., via a RAT deployed alongside the stealer), they can engage in ‘Memory Poisoning.'”
