February 2, 2026
Autocomplete or autoleak?
MaliciousCorgi: AI Extensions send your code to China
They help you code—then secretly ship your files to China; devs scream “we told you”
TLDR: Two popular VS Code AI extensions allegedly copied entire files and user activity and sent them to servers in China, while secretly tracking users. Commenters are split between “we warned you” cynicism, calling for bans on AI at work, and blaming the extension platform for making this kind of data grab easy.
Two shiny AI helpers in VS Code with 1.5M installs didn’t just autocomplete your code—users say they vacuumed entire files and every keystroke, then quietly sent it to servers in China, while a hidden tracker profiled who you are and what you’re building. The mood? Outrage meets “told ya.” One camp shrugs, with a top comment dryly noting, “AI already sends your code to US so…” while others accuse companies of letting workers “vibe all company secrets into the cloud.” It’s anger, irony, and a lot of side‑eye.
The split gets spicy: platform skeptics bark that the real villain is the plugin model—“you’re running arbitrary extensions,” so what did you expect? Security cynics pile on: if you install free, random tools, you’re basically inviting spyware into your editor. Then come the purists dunking on coworkers who “pollute their IDE” (that’s your coding app) with every trendy assistant, malicious or not. Memes land fast: “autocomplete became autoleak,” “your code has more frequent‑flyer miles than you,” and “Copi‑lot of your files” (sorry, GitHub Copilot, you were just the comparison). The community’s bottom line: these extensions worked great—it’s the no consent, no disclosure shadow‑copying that has everyone reaching for the uninstall button.
Key Points
- •Two VS Code AI assistant extensions with ~1.5 million installs covertly exfiltrate source code and edits to servers in China.
- •Beyond normal autocomplete, three hidden channels run: real-time file monitoring, server-triggered mass harvesting, and a profiling engine.
- •Channel 1 reads entire files on open and on every edit, encodes them in Base64, and sends via a hidden iframe in a webview.
- •Channel 2 remotely triggers a workspace harvest via a jumpUrl JSON command (getFilesList), sending up to 50 files without user interaction.
- •Channel 3 loads Zhuge.io, GrowingIO, TalkingData, and Baidu Analytics in a hidden iframe to fingerprint devices and build user identity profiles.