Ask HN: Is this VSCode extension malicious?

3 pointsposted 9 months ago
by cloogshicer

Item id: 41842530

3 Comments

calrain

9 months ago

100% stay away from it.

I think a better question is: "How can you ensure any VS Code extension is safe to use?"

Understanding exactly what an extension does and getting clarity around how it operates is something that I'd like to better understand as well.

It makes me think that moving to other editors like Neovim might be a safer way to go, if Microsoft has created an environment where malicious plug-ins can operate.

cloogshicer

9 months ago

Thanks, yeah, I def won't install it.

Looks like there are some calls to `fs` and `path`, so it's definitely reading the file system, which could be legitimate, but yeah hard to say.

Kinda wild that simply installing an extension can give the author full access and there isn't really a way to verify extension code.

I mean even if they had linked a repo that actually contained code, how can I know that the code from the repo is actually the same that gets downloaded when the extension is installed?

LouisLazaris

9 months ago

I obviously cannot vouch for the safety of this extension, but I'll just post this quote from the VS Code docs:

> The Marketplace runs a virus scan on each extension package that's published to ensure its safety. The virus scan is run for each new extension and for each extension update. Until the scan is all clear, the extension won't be published in the Marketplace for public usage.

Source: https://code.visualstudio.com/docs/editor/extension-marketpl...