Researchers warn of malicious Visual Studio Code extensions

Researchers warn of malicious Visual Studio Code extensions

Attackers could easily spoof popular Visual Studio Code extensions and trick developers into downloading them, Aqua Nautilus researchers report.

Credit: Dreamstime

Can developers trust extensions downloaded for Microsoft’s popular Visual Studio Code editor? Researchers at Aqua Nautilus say they have found that attackers could easily impersonate popular extensions and trick unknowing developers into downloading them.

Some extensions may already have taken advantage of this, Aqua security researcher Ilay Goldman wrote in a January 6 blog post. It can be challenging to distinguish between malicious and benign extensions, and the lack of sandbox capabilities means that extensions could install ransomware, wipers, and other malicious code, Goldman wrote. A user’s code also could be accessed.

VS Code extensions, which provide capabilities ranging from Python language support to JSON file editing, can be downloaded from Microsoft’s Visual Studio Code Marketplace. Aqua Nautilus uploaded an extension masquerading as the Prettier code formatter and saw more than 1,000 installs in less than 48 hours, from around the world. The spoof extension has been removed.

Goldman noted that the Visual Studio Code Marketplace runs a virus scan for each new extension and subsequent updates, and removes malicious extensions when it finds them.

Users can report suspicious-looking extensions via a Report Abuse link. Microsoft released a statement on the precautions it takes with the Marketplace:

To help keep customers safe and protected, we scan extensions for viruses and malware before they are uploaded to the Marketplace and we check that an extension has a Marketplace certificate and verifiable signature prior to being installed. To help make informed decisions, we recommend consumers review information, such as domain verification, ratings and feedback to prevent unwanted downloads.

Social engineering techniques have been used to persuade victims to download a malicious extension, Microsoft said.

Visual Studio Code also has a Workspace Trust feature to help users decide whether code in a project or folder can be executed by the editor or by extensions without a user’s explicit approval. Folders can be left in Restricted Mode to prevent execution if code is not trusted.

Nevertheless, Goldman warned that the threat of malicious Visual Studio Code extensions is real. VS Code extensions also can be downloaded from NPM, which faces security threats as well, Goldman noted.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags visual studio



Join key decision-makers within Environmental, Social, and Governance (ESG) that have the power to affect real change and drive sustainable practices. SustainTech will bridge the gap between ambition and tangible action, promoting strategies that attendees can use in their day-to-day operations within their business.

EDGE 2023

EDGE is the leading technology conference for business leaders in Australia and New Zealand, built on the foundations of collaboration, education and advancement.


ARN has celebrated gender diversity and recognised female excellence across the Australian tech channel since first launching WIICTA in 2012, acknowledging the achievements of a talented group of female front runners who have become influential figures across the local industry.

ARN Innovation Awards 2023

Innovation Awards is the market-leading awards program for celebrating ecosystem innovation and excellence across the technology sector in Australia.

Show Comments