Jeff Bruchado
Back to blog

VSCode Forks Expose Users to Attacks Through Recommended Extensions: What You Need to Know

Hello HaWkers, a recent security discovery is generating concern in the developer community. Researchers have identified that popular Visual Studio Code forks may be exposing users to attacks through the "recommended extensions" system present in projects.

If you use VSCodium, Cursor, or any other VSCode fork, this article is essential to understand the risks and how to protect yourself.

What Was Discovered

The problem is related to the .vscode/extensions.json file that many projects use to recommend extensions to developers who open the repository.

How The Attack Works

The attack flow:

  1. Attacker creates or contributes to a popular repository
  2. Adds malicious extension to the extensions.json file
  3. Developer clones the project and opens it in VSCode fork
  4. IDE suggests installation of recommended extensions
  5. User accepts thinking it is legitimate
  6. Malicious extension gains system access

Why Forks Are More Vulnerable

Microsoft's official VSCode has more rigorous verification processes for the marketplace. Forks frequently:

Use alternative marketplaces:

  • Open VSX Registry (VSCodium)
  • Own marketplaces (Cursor)
  • Direct .vsix installation

Have fewer verification resources:

  • Smaller teams
  • Less automated analysis
  • Limited manual review

Trust community extensions:

  • No author identity verification
  • No mandatory code analysis
  • Updates without review

The Scope Of The Problem

This vulnerability is not theoretical. Real cases have already been documented and the potential impact is significant.

Capabilities of Malicious Extensions

An extension installed in your editor can:

File access:

  • Read any workspace file
  • Access files outside the project
  • Silently modify source code

Code execution:

  • Execute terminal commands
  • Make network requests
  • Install additional software

Credential theft:

  • Capture API tokens
  • Read .env files
  • Intercept keyboard inputs

Persistence:

  • Modify editor settings
  • Add startup scripts
  • Install other extensions

Projects At Risk

Any project with an extensions.json file can be an attack vector:

Popular frameworks:

  • React, Vue, Angular templates
  • Node.js boilerplates
  • Course and tutorial projects

Corporate repositories:

  • Company monorepos
  • Open source libraries
  • SDKs and internal tools

How To Verify Your Extensions

Before installing any extension, it is essential to verify its legitimacy.

Verification Checklist

1. Verify the publisher:

# In VSCode terminal, list installed extensions
code --list-extensions --show-versions

Compare with official publishers:

  • Microsoft should have account verification
  • Popular extensions should have thousands of downloads
  • Check the GitHub repository link

2. Analyze the source code:

For critical extensions, clone the repository and review:

# Clone the extension repository
git clone https://github.com/publisher/extension-name

# Look for suspicious code
grep -r "exec\|spawn\|fetch\|http" src/

3. Check requested permissions:

In the extension's package.json, look for:

{
  "activationEvents": ["*"],
  "contributes": {
    "commands": []
  }
}

Extensions that activate on all events (*) deserve extra attention.

Extensions To Remove Immediately

If you find extensions with these characteristics, remove them:

Warning signs:

  • Unknown publisher with few downloads
  • Name similar to popular extensions (typosquatting)
  • Last update long ago
  • No public repository
  • Excessive permissions for the function

Protecting Your Environment

There are several measures you can take to reduce risks.

Security Settings

1. Disable automatic recommendations:

In your editor's settings.json:

{
  "extensions.ignoreRecommendations": true,
  "extensions.autoCheckUpdates": false,
  "extensions.autoUpdate": false
}

2. Use workspace trust:

{
  "security.workspace.trust.enabled": true,
  "security.workspace.trust.untrustedFiles": "prompt"
}

3. Restrict task execution:

{
  "task.allowAutomaticTasks": "off",
  "terminal.integrated.allowWorkspaceConfiguration": false
}

Best Practices For Teams

Extension audit:

  • Maintain approved extension list
  • Review extensions.json in code reviews
  • Use dependency analysis tools

Security policies:

  • Document allowed extensions
  • Train developers on risks
  • Monitor suspicious installations

What Fork Maintainers Are Doing

The teams behind the main forks are already taking action.

VSCodium

Actions in progress:

  • Improvements to Open VSX Registry
  • Additional extension verification
  • Updated security documentation

Cursor

Team response:

  • Own marketplace analysis
  • Extension sandboxing in development
  • Alerts for unverified extensions

Community

Community initiatives:

  • Safe extension lists
  • Automated analysis tools
  • Security guides for developers

Safer Alternatives

If security is top priority, consider these options.

Use Official VSCode

Microsoft's marketplace has:

  • Publisher verification
  • Automated malware analysis
  • More rigorous review process
  • Dedicated security team

Development Containers

Use isolated environments:

// devcontainer.json
{
  "name": "Secure Dev",
  "image": "mcr.microsoft.com/devcontainers/base",
  "customizations": {
    "vscode": {
      "extensions": [
        "verified-extension.id"
      ]
    }
  }
}

Local Sandboxing

Run the editor in an isolated environment:

On macOS:

  • Native App Sandbox
  • Firejail for Linux

Docker:

FROM codercom/code-server:latest
# Isolated development environment

Checking Projects You Maintain

If you maintain open source projects, review your configuration files.

extensions.json Audit

# Find all extensions.json files
find . -name "extensions.json" -path "*/.vscode/*"

# Check the content
cat .vscode/extensions.json

Safe Template

{
  "recommendations": [
    "dbaeumer.vscode-eslint",
    "esbenp.prettier-vscode"
  ],
  "unwantedRecommendations": []
}

Only include extensions from verified and widely known publishers.

Final Reflection

The convenience of extensions and customizations comes with security responsibilities. As developers, our work environments have access to sensitive code, credentials, and critical systems.

The discovery of this vulnerability is an important reminder:

  • Always verify extensions before installing
  • Review configuration files in cloned projects
  • Keep your development environment secure
  • Contribute to community security by reporting issues

The extension ecosystem is one of the greatest strengths of VSCode and its forks. But this flexibility needs to be balanced with conscious security practices.

If you want to learn more about security in software development, I recommend checking out another article: Security Practices For JavaScript Developers where you will discover how to protect your code and work environment.

Let's go! 🦅

Comments (0)

This article has no comments yet 😢. Be the first! 🚀🦅

Add comments