Moltbot Users Attacked by Malicious Extension: Researchers Expose Vulnerabilities -

Post Views: 10

Moltbot Users Attacked by Malicious Extension: Researchers Expose Vulnerabilities

“Recently, researchers have exposed that security loopholes become the medium of attack due to malicious extensions.”

After researchers discovered exposed instances, flawed default configurations, and a malicious Visual Studio Code extension that covertly gave attackers remote access to developers’ computers, a well-known open-source project that enables users to run personal AI assistants locally has become the focal point of an expanding security controversy.

A Convenience-Designed Tool Presented at Scale

With the promise of a locally run artificial intelligence assistant that can speak across platforms like WhatsApp, Telegram, Slack, and Discord, Moltb ot, originally known as Clawdbot, has become increasingly popular in recent months, attracting tens of thousands of developers.

The project, which was started by Austrian developer Peter Steinberger, has received over 85,000 stars on GitHub, demonstrating the strong demand for self-hosted substitutes for cloud-based AI tools.

There has also been criticism of its quick acceptance. According to security researchers, hundreds of Moltbot instances that are openly available on the internet without authentication have been found, exposing configuration files, API keys, OAuth passwords, and private chat conversation histories.

Sensitive integrations connected to messaging apps and other services were sometimes exposed by these incidents, exposing the digital keys that enable the agent to act on behalf of a user.

In a different investigation, cybersecurity company Intruder claimed to have found numerous misconfigurations in comparable AI agent deployments in various cloud settings. The company cautioned that these errors frequently resulted in hacked systems, prompt-injection vulnerabilities, and credential disclosure.

Researchers

The problem is not specific to any one project; rather, it is a reflection of the rapid deployment of AI agents without corresponding security safeguards.

Architectural Decisions and the “Agency” Question

The amount of authority these agents are automatically granted is at the core of the issue. Moltbot agents have a level of “agency” that increases the impact of any compromise because they can send messages, conduct commands, and execute tools across a variety of platforms.

The Technical Irony

Recently, MoltBot changed its name from “ClawdBot” (because of a trademark dispute with Anthropic). Attackers hurried to fill the “naming vacuum” left by this change. The attackers were occupied with squatting on the VS Code Marketplace and the obscene namespace while the community was busy upgrading their repositories.

Benjamin Marr, Security Engineer, Intruder

“The fundamental problem is architectural.” Easy deployment was given precedence over secure-by-default configurations in systems such as Clawdbot. Without having to deal with sandboxing for third-party plugins, enforced firewall rules, or credential validation, non-technical users may start up instances and connect sensitive services.

After finding unauthenticated Moltbot instances online, security researcher and Dvuln founder Jamieson O’Reilly shared the same worries.

Jamieson O’Reilly, Security Researcher, Founder, Dvuln, Assessment

Beyond data leaks, the potential for agents to act independently across messaging platforms poses a risk. Without the user’s knowledge, a successful attacker might discreetly steal critical data, insert messages into ongoing discussions, or pose as an operator to their contacts.

Backdoored “skills” might be distributed via MoltHub, the project’s plugin repository formerly known as ClawdHub, by abusing the same methods that made Moltbot flexible. Supply-chain attacks that disseminate malicious programs to otherwise trustworthy installations are made possible by such a vector.

A Malevolent Addition to the Official Marketplace

Late last month, when researchers discovered a malicious Visual Studio Code extension masquerading as an official Moltbot program, those threats went from being theoretical to tangible.

On January 27, 2026, the extension, “ClawdBot Agent – AI Coding Assistant,” which was released under the identifier “clawdbot.clawdbot-agent,” was listed on Microsoft’s official Extension Marketplace. Microsoft later took it down.

Security Firms, Analyses, including Aikido,

On PCs where it was installed, the extension dropped a concealed payload despite claiming to be a free AI coding assistant. Every time Visual Studio Code launched, the extension ran automatically, obtaining a configuration file called “config.json” from an external server and utilizing it to create a binary called “Code.exe.”

In order to provide persistent remote access to the compromised PC, the binary installed ConnectWise ScreenConnect, a legal remote desktop solution, and linked it to a server under the control of the attacker.

Researchers

By distributing a pre-configured client via the extension and setting up their own ScreenConnect relay infrastructure, the attackers were able to “phone home” infected PCs as soon as they were installed.

Redundancy, Persistence, and the Repercussions

There was no one delivery technique used by the extension. Investigators discovered a number of backup plans intended to guarantee that the payload would reach victims even in the event that some infrastructure components were compromised.

One method was to retrieve the payload from Dropbox by sideloading “DWrite.dll,” a Rust-based DLL that was listed in the same configuration file. Hard-coded URLs were inserted in another method, and components were retrieved from a different domain using a different batch script.

Charlie Eriksen, Researcher, Aikido

“This loader wasn’t a one-shot.” “It was designed to be resilient.” The layered architecture implied a conscious attempt to preserve access in the event that command-and-control servers were taken offline or banned.

Security Researchers

Attackers seem to have taken advantage of Moltbot’s lack of an approved Visual Studio Code extension by taking advantage of the project’s growing popularity.

The operators were able to fool gullible developers into installing the extension from a reliable marketplace by using a well-known name and portraying it as an official companion.

Security companies have advised users of Moltbot or comparable programs with default configurations to audit their setups, cancel associated integrations, rotate exposed passwords, and implement network controls in reaction to the wider findings.

They stated that any deployment that gives AI agents the power to behave across various services must now keep an eye out for indications of compromise.

How Can Your AI Stack Be Hardened?

Put an end to viewing local AI agents as “just another app.” High-privilege system services are what they are.

Firewall Your Console: Never allow the WAN to access port 8080 or any other admin port. If you require distant access, use a VPN or a Tailscale funnel.
Sandbox the Runtime: Run MoltBot with –read-only and –cap-drop=ALL in a Docker container. If you don’t want an AI agent to “hallucinate” your SSH keys into a public gist, don’t grant it unrestricted access to your host filesystem.
Audit the “Skills”: ClawdHub is a plugin library used by MoltBot. These “skills” are nothing more than code. The moment your bot loads a “poisoned” skill, it can do Remote Code Execution (RCE).

About The Author

Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”

WhatsApp Unleashes High-Security Mode: Meta Ensures the Safety of Users