Cybercriminals leveraged the popularity of Moltbot (also known today as OpenClaw) to distribute malware through a fake Visual Studio Code extension, potentially impacting an unknown number of users. Fortunately, the campaign was spotted quickly and the extension was flagged and taken down after researchers analyzed it.
What Moltbot is and why it’s an attractive target
Moltbot is an open-source personal AI assistant designed to run locally (on your computer or server), rather than relying purely on the cloud. That local-first approach is great for control and integrations, but it also raises the stakes: software with deep system access becomes a high-value target, and misconfigurations or malicious add-ons can expose sensitive data and enable system compromise.
The project was previously known as Clawdbot, was renamed amid broader naming/trademark friction, and quickly accumulated tens of thousands of stars on GitHub, becoming a viral tool among developers.
The scam: a “missing official extension” gap attackers exploited
This is a classic trust trap: if an official extension doesn’t exist yet, people will go looking for it.
According to Aikido, attackers published a VS Code Marketplace extension with a plausible name (reported as “ClawdBot/ClawBot Agent – AI Coding Assistant”). It appeared to work as advertised an AI coding helper while silently dropping a trojan on Windows when VS Code started.
The malware chain involved a weaponized remote-access component (ScreenConnect by ConnectWise), effectively enabling remote control capabilities.
Why it looked legit
What made it particularly risky wasn’t just the payload it was the polish:
- professional-looking icon and UI;
- claimed integrations with major AI providers such as OpenAI, Anthropic, Google, Ollama, Groq, Mistral AI, and OpenRouter.
In other words: it looked “too real” to be fake by design.
Quick safety checklist
If you install AI agents/extensions, especially ones that promise deep system access:
- Verify the publisher (official site/repo links, consistent branding, trusted announcements).
- Be skeptical of the “first/only” extension if the project hasn’t publicly shipped one.
- Watch for red flags: unexpected downloads, remote-access tooling, suspicious startup hooks.
Test new tools in a VM/sandbox, and avoid admin privileges.
