Safeguard
Software Supply Chain Security

Malicious VS Code extensions report

150+ malicious VS Code extensions have been pulled from marketplaces since 2024. Here's how the attacks work — and how to defend against them.

Safeguard Research Team
Research
8 min read

SAN FRANCISCO — July 6, 2026. In the past eighteen months, security researchers have pulled back the curtain on one of the software supply chain's least-scrutinized attack surfaces: the developer's own editor. Since early 2024, independent researchers, extension-security vendors, and Microsoft itself have pulled more than 150 malicious or policy-violating extensions from the Visual Studio Code Marketplace and the Open VSX Registry, with individual campaigns racking up install counts in the tens of thousands before takedown. One widely cited sweep in late 2024 found over 200 extensions — spanning both marketplaces — exfiltrating credentials, mining cryptocurrency, or dropping remote-access tooling, some of which had sat live for months while accumulating five-star reviews from bot accounts. The message from this run of reports is consistent: the extension marketplace has become a viable, low-friction initial-access vector into engineering environments, and most organizations have no visibility into what their developers have installed.

This report synthesizes the public findings, breaks down the attack patterns behind them, and outlines what defensive teams should be doing differently in response.

A Marketplace Under Siege

VS Code's extension ecosystem is enormous and largely open by design — anyone can publish, updates ship automatically, and installs require little more than a click from inside the editor. That openness, which makes VS Code the most popular IDE on the planet, is precisely what makes it attractive to attackers. Unlike a public npm or PyPI package, a malicious extension runs with the same privileges as the editor itself: full filesystem access, the ability to spawn child processes, and — critically — a front-row seat to whatever secrets, tokens, and source code a developer happens to have open.

Researchers have documented several recurring publishing patterns:

  • Typosquatting popular extensions. Names deliberately mimicking well-known tools (theme packs, linters, Prettier variants, popular language-support extensions) to catch developers who mistype a search or click the wrong autocomplete suggestion.
  • Verified-publisher spoofing. Campaigns that either compromised legitimate publisher accounts or crafted convincing lookalike publisher profiles, borrowing the trust signal of a "verified" badge or a plausible-looking organization name.
  • Fake extension count and review inflation. Multiple reports found extensions using bot-generated installs and reviews to climb marketplace search rankings, since VS Code's default sort weights popularity heavily.
  • Delayed payload activation. Rather than shipping malicious code in the initial release, several campaigns published a clean extension, built up install counts and trust, then pushed a weaponized update weeks or months later — a pattern directly analogous to the npm and PyPI "reputation hijacking" campaigns security teams have seen for years.

Anatomy of a Malicious Extension

The payloads themselves cluster into a handful of well-understood objectives, but the delivery mechanism is what makes this vector distinct.

Credential and token theft. The most commonly reported behavior across 2024–2025 campaigns was harvesting cloud credentials, SSH keys, .env files, and CI/CD tokens from the developer's workspace and environment variables, then exfiltrating them to attacker-controlled infrastructure — frequently disguised behind legitimate-looking services such as paste sites, Discord webhooks, or third-party analytics endpoints to blend in with normal outbound traffic.

Cryptocurrency and wallet targeting. Several extensions specifically scanned for browser-based crypto wallet extensions and associated local storage, seed phrases, and clipboard contents — a payload family that overlapped heavily with campaigns also seen targeting npm and browser extension ecosystems.

Remote access and staged loaders. A subset of extensions functioned as a first-stage downloader: a small, seemingly benign extension that, post-install, reached out to fetch and execute a second payload, complicating static analysis and allowing the attacker to change the ultimate objective without republishing.

Obfuscated build steps. Because VS Code extensions are typically bundled JavaScript, several malicious packages relied on minification and packed dependencies to bury a handful of malicious lines inside thousands of lines of legitimate-looking bundle output — a technique that defeats casual code review and most naive marketplace scanning.

What ties these together is the trust model: an extension install looks nothing like running an unknown binary. It looks like a normal part of setting up a dev environment, which is exactly why it bypasses the instincts developers have built up around phishing emails and suspicious downloads.

Notable Patterns From Public Reporting

Independent extension-security researchers who have systematically scanned both the Microsoft Marketplace and Open VSX have repeatedly found that malicious or high-risk extensions are not rare edge cases — they are a persistent, replenishing population. Findings reported across multiple studies include:

  • Extensions impersonating popular color themes and productivity tools, some accumulating tens of thousands of installs before removal.
  • Clusters of extensions traced back to the same publisher infrastructure, suggesting organized, repeatable tooling for spinning up new malicious listings after old ones are taken down.
  • A meaningful gap in response time between public disclosure and marketplace removal, during which install counts continued to climb.
  • Open VSX, used by VS Code-derived editors and cloud IDEs, showing weaker vetting than the primary Microsoft Marketplace in several documented cases — an important detail for organizations standardizing on forks or web-based IDEs.

Microsoft has responded with expanded automated scanning and faster takedown processes, and has increasingly required publisher verification for certain extension categories. Those are meaningful improvements, but they address the marketplace's front door — they do nothing for extensions a developer already has installed, nor for the interval between a malicious update shipping and its eventual detection.

Why Traditional Defenses Fall Short

Most organizations' existing controls simply weren't built with this vector in mind. Endpoint detection tools are tuned for malware behaviors, not for a signed, marketplace-distributed extension quietly reading environment variables. Traditional SCA and SBOM tooling focuses on the dependencies inside an application's build — not the tooling installed inside the IDE that built it. And code review, by definition, never looks at a developer's local editor configuration.

The result is a blind spot that sits upstream of almost every other supply chain control an organization has invested in. A compromised developer workstation can leak the very credentials — cloud keys, registry tokens, signing keys — that downstream controls assume are safe. It is, in effect, a pre-supply-chain attack on the supply chain.

Compounding the problem, extension auto-update is on by default. A developer who vetted an extension once, months ago, has no practical way to know whether this week's silent update introduced a new outbound connection or a new dependency with a fresh CVE. Manual review doesn't scale to that update cadence, and most security teams have no inventory of what's installed across their developer fleet in the first place — let alone a way to correlate an extension's behavior against what it can actually reach in the environment.

What Security Teams Should Do Now

Based on the pattern of incidents to date, a few concrete steps meaningfully reduce exposure:

  1. Inventory installed extensions across the fleet. You cannot assess risk in tooling you don't know exists. Treat editor extensions as a first-class asset category, the same way you would treat browser extensions or third-party SaaS integrations.
  2. Restrict installs to vetted publishers where possible. VS Code supports enterprise policies to allow-list extensions and publishers; use them, especially for extensions with filesystem or network capabilities.
  3. Monitor for outbound connections from developer environments, not just production. Many of the documented campaigns were detectable at the network layer well before anyone noticed anything wrong in the editor itself.
  4. Treat extension updates like dependency updates. Delayed-activation payloads mean a "safe" extension from six months ago is not guaranteed safe today. Pin versions where feasible and review changelogs for capability changes.
  5. Rotate and scope credentials aggressively. Since the primary payload objective is credential theft, short-lived, narrowly scoped tokens limit the blast radius even when an extension does turn out to be malicious.

How Safeguard Helps

Safeguard extends software supply chain visibility to the parts of the toolchain most programs never inventory, including developer tooling and the dependencies it pulls in. Our SBOM generation and ingest pipeline catalogs components across the environment — not just application manifests — so security teams can answer "do we have this anywhere?" the moment a malicious extension or package is disclosed, rather than scrambling through spreadsheets. Griffin AI correlates that inventory against live threat intelligence to flag exposure automatically and cut through alert noise, while our reachability analysis distinguishes components that are actually loaded and exercised from those that merely sit on disk, so teams can prioritize the handful of findings that matter instead of triaging everything with equal urgency. When a fix is available, Safeguard can open an auto-fix pull request directly against the affected repository, shrinking the gap between disclosure and remediation from days to minutes. Together, these capabilities give security teams the same continuous, evidence-based coverage over developer tooling that they already expect for application dependencies.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.