Fake AI Assistant: Malicious “ClawdBot” Extension Hides Trojan in VS Code

The viral popularity of AI coding assistants has attracted a new kind of predator. On January 27, 2026, security researcher Charlie Eriksen of Aikido Security discovered a malicious Visual Studio Code extension masquerading as the popular “ClawdBot.” Under the guise of a helpful AI tool, the extension—dubbed “ClawdBot Agent”—was found to be silently deploying malware onto developers’ machines.

The incident highlights a growing trend where attackers exploit the hype cycle of new AI tools to trick savvy users. “If you’ve been anywhere near AI X lately, you’ve probably seen Clawdbot mentioned everywhere,” the report notes. “Naturally, this makes it a prime target for impersonation”.

What made this attack particularly dangerous was the level of effort put into the deception. Unlike low-effort scams that often break or do nothing, this malicious extension actually worked.

“The fake extension looks incredibly legitimate,” the report states. “Professional icon, polished UI, integration with seven different AI providers… It even works as advertised, which is precisely what makes it dangerous”.

By functioning as a legitimate coding assistant—powered by real APIs from OpenAI, Anthropic, and Google—the malware lulled victims into a false sense of security while it operated in the background.

“We confirmed the extension is a fully functional trojan: a working AI coding assistant on the surface, while silently dropping malware onto Windows machines the moment VS Code starts,” the report states.

The attack chain involved downloading a payload disguised as Lightshot.exe—a common screen capture tool—or an Electron bundle named Code.exe. However, analysis of the infrastructure revealed that these filenames were merely camouflage for a sophisticated dropper.

“Notice something interesting? The hardcoded fallbacks still reference Lightshot.exe and Lightshot.dll… This suggests the attackers likely evolved their payload over time,” Eriksen writes.

The investigation traced the malware’s command-and-control (C2) traffic to a suspicious domain: darkgptprivate[.]com. Hosted in the Seychelles by Omegatech LTD, the domain was registered just weeks before the attack.

The attackers built redundancy into their operation, using Cloudflare to mask their primary server (clawdbot.getintwopc[.]site) and maintaining backup mechanisms. “If the primary C2 goes down, they have a backup. If Node.js fails, they have PowerShell… These folks did their homework”.

Fortunately, the malicious extension was caught early. “We immediately reported it to Microsoft, who were very quick to removing the extension,” the report confirms.

With only 21 installs recorded at the time of removal, the blast radius was limited. However, the incident serves as a stark reminder to developers: in the gold rush of AI tools, always verify the developer before you install. As the report concludes, “The real Clawdbot team never published an official VS Code extension. The attackers just claimed the name first”.

Related Posts:

• Lock the Front Door: The “Localhost” Loophole Leaving Thousands of Clawdbot Agents Exposed
• The “Iron Man” Moment: Why Silicon Valley is Buying Out Mac Minis to Run Clawdbot
• Malicious VS Code Extension Masquerades as Zoom to Steal Chrome Cookies