Cybersecurity researchers have flagged a new malicious Microsoft Visual Studio Code (VS Code) extension for Moltbot (formerly Clawdbot) on the official Extension Marketplace that claims to be a free artificial intelligence (AI) coding assistant, but stealthily drops a malicious payload on compromised hosts.
The extension, named “ClawdBot Agent – AI Coding Assistant” (“clawdbot.clawdbot-agent”), has since been taken down by Microsoft. It was published by a user named “clawdbot” on January 27, 2026.
Moltbot has taken off in a big way, crossing more than 85,000 stars on GitHub as of writing. The open-source project, created by Austrian developer Peter Steinberger, allows users to run a personal AI assistant powered by a large language model (LLM) locally on their own devices and interact with it over already established communication platforms like WhatsApp, Telegram, Slack, Discord, Google Chat, Signal, iMessage, Microsoft Teams, and WebChat.
The most important aspect to note here is that Moltbot does not have a legitimate VS Code extension, meaning the threat actors behind the activity capitalized on the rising popularity of the tool to trick unsuspecting developers into installing it.
The malicious extension is designed such that it’s automatically executed every time the integrated development environment (IDE) is launched, stealthily retrieving a file named “config.json” from an external server (“clawdbot.getintwopc[.]site”) to execute a binary named “Code.exe” that deploys a legitimate remote desktop program like ConnectWise ScreenConnect.
The application then connects to the URL “meeting.bulletmailer[.]net:8041,” granting the attacker persistent remote access to the compromised host.
“The attackers set up their own ScreenConnect relay server, generated a pre-configured client installer, and distributed it through the VS Code extension,” Aikido researcher Charlie Eriksen said. “When victims install the extension, they get a fully functional ScreenConnect client that immediately phones home to the attacker’s infrastructure.”
What’s more, the extension incorporates a fallback mechanism that retrieves a DLL listed in “config.json” and sideloads it to obtain the same payload from Dropbox. The DLL (“DWrite.dll”), written in Rust, ensures that the ScreenConnect client is delivered even if the command-and-control (C2) infrastructure becomes inaccessible.
This is not the only backup mechanism incorporated into the extension for payload delivery. The fake Moltbot extension also embeds hard-coded URLs to get the executable and the DLL to be sideloaded. A second alternative method involves using a batch script to obtain the payloads from a different domain (“darkgptprivate[.]com”).
The Security Risks with Moltbot
The disclosure comes as security researcher and Dvuln founder Jamieson O’Reilly found hundreds of unauthenticated Moltbot instances online, exposing configuration data, API keys, OAuth credentials, and conversation histories from private chats to unauthorized parties.
“The real problem is that Clawdbot agents have agency,” O’Reilly explained. “They can send messages on behalf of users across Telegram, Slack, Discord, Signal, and WhatsApp. They can execute tools and run commands.”
This, in turn, opens the door to a scenario where an attacker can impersonate the operator to their contacts, inject messages into ongoing conversations, modify agent responses, and exfiltrate sensitive data without their knowledge. More critically, an attacker could distribute a backdoored Moltbot “skill” via MoltHub (formerly ClawdHub) to stage supply chain attacks and siphon sensitive data.
Intruder, in a similar analysis, said it has observed widespread misconfigurations leading to credential exposure, prompt injection vulnerabilities, and compromised instances across multiple cloud providers.
“The core issue is architectural: Clawdbot prioritizes ease of deployment over secure-by-default configuration,” Benjamin Marr, security engineer at Intruder, said in a statement. “Non-technical users can spin up instances and integrate sensitive services without encountering any security friction or validation. There are no enforced firewall requirements, no credential validation, and no sandboxing of untrusted plugins.”
Users who are running Clawdbot with default configurations are recommended to audit their configuration, revoke all connected service integrations, review exposed credentials, implement network controls, and monitor for signs of compromise.
