←back to thread

Show HN: VSCan - Detect Malicious VSCode Extensions

(vscan.dev)
52 points shadow-ninja | 1 comments | 24 Jun 25 22:32 UTC | HN request time: 0.207s | source

Did you know that VSCode extensions run with full access to your system—including file system, network, and credentials? Worse, dozens of malicious extensions have already made it into the marketplace, silently compromising devices.

I am a security researcher and student developer who ran into this problem myself. To help tackle this, I built a 100% free tool (no login required) that scans VSCode (and Cursor/Windsurf) extensions for:

- Hidden malware and obfuscated code

- Dangerous permissions and API misuse

- Vulnerable dependencies and suspicious network connections

Users have already found hundreds of vulnerabilities in extensions. VSCan generates a clean, developer-friendly security report to help you understand what you're installing.

Try it out: https://www.vscan.dev

I have also developed custom sandboxing security architecture to restrict extensions from malicious activity during runtime. There is no existing technology that does this, so if you would be interested in trying it out or learning more, please reach out!

I would greatly appreciate any feedback and thanks for your help!

_______________________________________________________________________________

Here are some numbers as to what I have detected from a sample of 1077 extensions that are available on the Marketplace:

- 3 extensions are marked as malicious by VirusTotal - 7 extensions use malicious network connections (verified by VirusTotal) - 33 extensions have dependencies with critical vulnerabilities - 39 extensions have sensitive information (I have seen api keys, usernames, passwords, etc.) - 204 extension have poor development practices as marked by OSSF - 71 extensions have very high permissions (while not bad can be indicator of potential malicious activity)

As an example here is the link to an extension analysis with malicious network endpoints: https://vscan.dev/?analysisId=9e6c1849-3973-402b-a4ff-3b4023...

Show context
whalesalad ◴[25 Jun 25 00:47 UTC] No.44372628[source]
Using this is kind of a pain in the butt (looking thru all installed extensions and pasting in the raw name one by one). Could this be packaged as an extension itself, that scans other extensions? Or provide a CLI command to export all of your installed extensions as a list, which you can then upload? Or better, a one liner that will export your extensions to stdin, POST them to your API, and it will return a URL that you can click and load in the browser to explore the breakdown of (potential) issues.
replies(1): >>44373091 #
shadow-ninja ◴[25 Jun 25 02:14 UTC] No.44373091[source]
Thanks for the suggestion. I was thinking about making this into a chrome web extension that people can use on a marketplace page or even using MCP to make this tool really accessible for Cursor and Windsurf users.

As for the raw name, most extensions should work if you just put the display name. The search algorithm directly pulls from the vscode marketplace.

replies(1): >>44373112 #
whalesalad ◴[25 Jun 25 02:19 UTC] No.44373112[source]
I have 70 extensions installed though. Turns out there is a cli flag to print them, though: "code --list-extensions"

If you update your UI to accept a "bulk analyze" mode where a list of newline extensions could be submitted and rendered out on a page, that would be pretty cool.

replies(1): >>44373131 #
1. shadow-ninja ◴[25 Jun 25 02:25 UTC] No.44373131[source]
Oh yeah that's a really good idea. That would make it much easier for someone to use, though that many extensions would take a while. I would need to build up some more robust architecture before I could implement that.