Cybersecurity researchers are raising the alarm over a malicious browser extension. This extension acts like a personal coding assistant for Moltbot — an open-source, multi-lingual chatbot project created by Austrian programmer Peter Steinberger. One such user, “clawdbot,” published a fake censorship extension on January 27, 2026. This extension capitalizes on the growing popularity of Moltbot, which has already received more than 85,000 stars on Github. The extension markets itself as a free AI-powered code accomplice. In fact, it surreptitiously implants a dangerous payload on affected hosts, introducing enormous hazards to developers.
Moltbot allows users to run their very own personal AI assistant. The behind-the-wheel assistant This LLM-powered assistant runs completely on your local device. It allows for easy engagement through the many communication platforms that people already frequent. Compatible with WhatsApp, Telegram, Slack, Discord, Google Chat, Signal, iMessage, Microsoft Teams, WebChat. The harmful extension undermines this tool significantly. Lurking under the surface, it takes these harmful actions every time you open the integrated development environment (IDE).
Mechanism of the Malicious Extension
The harmful extension is taking active steps to download a file named “config.json” from a remote server, in this instance “clawdbot.getintwopc[.]site.” It then launches a binary called “Code.exe.” This binary starts up a legitimate remote desktop application, ConnectWise ScreenConnect. As a concrete consequence, attackers have free reign to access breached systems. The extension flies under the radar. It embeds static URLs to run on-demand malicious executable and DLL files.
The danger presented by this expansion goes far beyond data hacking. An attacker could use a backdoored Moltbot “skill” and circulate it to many people’s MoltHub (formerly ClawdHub) accounts. That could lead to supply chain attacks that exfiltrate sensitive developer data from an unknowing developer. This extension’s capacity to function in secret underscores an alarming weakness in the software supply chain.
“If an attacker compromises the same machine you run MoltBot on, they do not need to do anything fancy,” – 1Password
Risks of Data Exfiltration
The bad extension poses a serious data exfiltration threat. Today’s infostealers are able to scrape various widely available directories or useful developer configurations digging for credentials, tokens, session logs, and more. As stated by 1Password, “Modern infostealers scrape common directories and exfiltrate anything that looks like credentials, tokens, session logs, or developer config.”
Jamieson O’Reilly further elaborated on the capabilities of these malicious agents:
“They can send messages on behalf of users across Telegram, Slack, Discord, Signal, and WhatsApp. They can execute tools and run commands.”
This capability poses important risk issues related to agent hijacking. Our partner Token Security has put out the following warning. If an attacker receives write access via a RAT deployed with the stealer, they can perform a risky technique called “Memory Poisoning.” The effects of proceeding like this might ultimately be widespread cognitive context piracy.
“For infostealers, this data is unique. It isn’t just about stealing a password; it is about Cognitive Context Theft,” – Token Security
Developer Awareness and Security Concerns
The emergence of this harmful extension is a relevant reminder about the opportunities for abuse in highly popular, widely accessible dev tools. Cybersecurity experts warn that security should be a priority when using sensitive public services within development infrastructures. Benjamin Marr pointed out that:
“The core issue is architectural: Clawdbot prioritizes ease of deployment over secure-by-default configuration.”
Alternatively, non-technical users will find it straightforward to spin up instances and plug in sensitive services without running into sufficient security controls. This absence of mandated firewalls and credential checking leaves an opening that is perfect for exploitation.
Charlie Eriksen noted that deeper payload analysis indicates that attackers anticipated certain failures in their delivery methods:
“Deeper payload analysis suggests the attacker anticipated failures, and several delivery methods don’t work reliably.”
He demonstrated how the malicious file “code.exe” loads “DWrite.dll” using DLL side-loading techniques. This setup presents additional hazards, particularly when both files are kept in the same folder.