Anavem
EnglishFrancais
Anavem
Languagefr
How to Audit and Secure VS Code Extensions After Supply Chain Attacks

How to Audit and Secure VS Code Extensions After Supply Chain Attacks

Learn to audit installed VS Code extensions, implement security policies, configure automated scanning, and set up workspace trust to protect against malicious extensions and supply chain vulnerabilities.

April 24, 2026 15 min
mediumvscode 8 steps 15 min

Why Is VS Code Extension Security Critical in 2026?

The recent Open VSX Registry vulnerability that allowed malicious extensions to bypass security vetting highlights a growing threat to developer environments. With VS Code's massive adoption and over 45,000 extensions in the marketplace, the attack surface has expanded dramatically. Supply chain attacks targeting developer tools have become increasingly sophisticated, with malicious extensions capable of stealing source code, credentials, and sensitive data from development environments.

What Makes VS Code Extensions Particularly Vulnerable?

VS Code extensions run with significant privileges within your development environment. They can access your file system, network connections, and even execute arbitrary code. The extension ecosystem's rapid growth has outpaced security measures, and even popular extensions with millions of downloads have been found to contain serious vulnerabilities. The 2026 security landscape shows that traditional trust models based on download counts and ratings are insufficient protection against sophisticated supply chain attacks.

How Does This Tutorial Address Current Security Gaps?

This guide provides a comprehensive approach to extension security that goes beyond basic marketplace trust. You'll learn to implement defense-in-depth strategies including automated vulnerability scanning, publisher verification, workspace isolation, and continuous monitoring. The tutorial leverages VS Code 1.110.1's latest security features, including trusted publisher verification and enhanced workspace trust controls, while integrating third-party security tools like VSCan and OWASP Dependency-Check for comprehensive protection.

Implementation Guide

Full Procedure

01

Inventory and Audit Your Current Extensions

Start by getting a complete picture of what extensions are currently installed in your VS Code environment. This baseline audit is crucial for identifying potential security risks.

code --list-extensions

This command outputs all installed extensions in the format publisher.extension-name. For a more detailed view with version numbers, use:

code --list-extensions --show-versions

Create a spreadsheet or text file to document each extension. For each one, note:

  • Extension name and publisher
  • Last time you actually used it
  • Whether it's essential for your workflow
  • Download count and last update date (check in VS Code Extensions view)

Verification: Open VS Code, go to Extensions (Ctrl+Shift+X), and compare the GUI list with your command output to ensure accuracy.

Pro tip: Extensions you haven't used in 6+ months are prime candidates for removal. Each unused extension increases your attack surface unnecessarily.
02

Remove Unused and High-Risk Extensions

Now systematically remove extensions that pose unnecessary risk. Start with extensions you identified as unused during your audit.

code --uninstall-extension publisher.extension-name

For bulk removal, create a script. On Linux/macOS:

#!/bin/bash
# List of extensions to remove
extensions_to_remove=(
    "publisher1.extension1"
    "publisher2.extension2"
    "publisher3.extension3"
)

for ext in "${extensions_to_remove[@]}"; do
    echo "Removing $ext..."
    code --uninstall-extension "$ext"
done

Pay special attention to extensions that have been flagged in recent security reports. As of 2026, extensions like certain versions of Live Server and Markdown Preview Enhanced have had documented vulnerabilities.

Verification: Run code --list-extensions again to confirm the extensions are gone.

Warning: Some extensions store configuration data that persists after uninstallation. Check your VS Code settings.json file and remove any orphaned configuration blocks.
03

Verify Publisher Trustworthiness and Configure Trust Settings

VS Code 1.97 introduced trusted publisher verification. Access the trust management system through the Command Palette.

Open Command Palette (Ctrl+Shift+P) and run:

Extensions: Manage Trusted Extensions Publishers

This opens a dialog showing all publishers you've previously trusted. Review each one:

  • Look for the blue checkmark indicating verified publishers
  • Remove trust from publishers you no longer recognize
  • Verified publishers have proven domain ownership and maintained good standing for 6+ months

For remaining extensions, manually verify each publisher:

  1. Open the extension in the Marketplace
  2. Check the publisher's profile and website
  3. Look for verified status (blue checkmark)
  4. Review the extension's GitHub repository if available

Configure automatic trust prompts by adding this to your settings.json:

{
    "extensions.autoCheckUpdates": true,
    "extensions.ignoreRecommendations": false,
    "security.workspace.trust.enabled": true
}

Verification: Install a new extension from an untrusted publisher - you should see a trust confirmation dialog.

Pro tip: Extensions installed via command line bypass the trust dialog. Always manually verify publishers when scripting extension installations.
04

Install and Configure VSCan for Automated Security Scanning

VSCan is a specialized tool for analyzing VS Code extensions for risky behaviors and suspicious permissions. Install it as a development dependency or global tool.

For Node.js environments:

npm install -g vscan

Or using Python pip:

pip install vscan

Create a security scanning script to regularly audit your extensions:

#!/bin/bash
# VS Code Extension Security Audit Script

echo "Starting VS Code extension security audit..."
echo "Date: $(date)"
echo "======================================"

# Get list of installed extensions
echo "Installed extensions:"
code --list-extensions --show-versions

echo ""
echo "Running VSCan analysis..."
# Run VSCan on each extension (adjust path as needed)
for ext in $(code --list-extensions); do
    echo "Scanning: $ext"
    vscan analyze "$ext" --output-format json >> extension_audit_$(date +%Y%m%d).json
done

echo "Audit complete. Check extension_audit_$(date +%Y%m%d).json for results."

Make the script executable and run it:

chmod +x audit_extensions.sh
./audit_extensions.sh

Verification: Check the generated JSON file for any high-risk findings. VSCan flags extensions with suspicious network activity, file system access, or code execution patterns.

05

Set Up OWASP Dependency-Check Integration

Install the OWASP Dependency-Check extension to scan your project dependencies for known vulnerabilities. This complements VSCan by focusing on the libraries your extensions might use.

Install the extension:

code --install-extension dependency-check.owasp-dependency-check

Configure the extension by creating a workspace setting file .vscode/settings.json:

{
    "owasp-dependency-check.enableAutoScan": true,
    "owasp-dependency-check.scanOnSave": true,
    "owasp-dependency-check.excludePatterns": [
        "**/node_modules/**",
        "**/vendor/**",
        "**/.git/**"
    ],
    "owasp-dependency-check.reportFormat": "JSON",
    "owasp-dependency-check.failOnCVSS": 7.0
}

Create a dependency check configuration file dependency-check.properties:

# OWASP Dependency Check Configuration
data.directory=~/.dependency-check-data
format=JSON,HTML
suppression.file=dependency-check-suppressions.xml
failOnCVSS=7
retireJsAnalyzer.enabled=true
nodeAnalyzer.enabled=true
npmCPEAnalyzer.enabled=true

Run a manual scan to test the setup:

dependency-check --project "VS Code Security Audit" --scan . --format JSON --format HTML

Verification: Check that the scan generates reports in both JSON and HTML formats. The HTML report provides a user-friendly view of any vulnerabilities found.

06

Configure Workspace Trust and Security Policies

Workspace Trust is a critical security feature that controls whether code in a project folder can be executed by VS Code and extensions. Configure it properly to prevent malicious code execution.

Enable Workspace Trust in your global settings:

{
    "security.workspace.trust.enabled": true,
    "security.workspace.trust.startupPrompt": "always",
    "security.workspace.trust.emptyWindow": false,
    "security.workspace.trust.banner": "always",
    "security.workspace.trust.untrustedFiles": "prompt"
}

Create a workspace trust policy file workspace-trust-policy.json:

{
    "trustedFolders": [
        "/home/user/trusted-projects",
        "/Users/user/work/company-repos"
    ],
    "untrustedFileExtensions": [
        ".exe",
        ".bat",
        ".cmd",
        ".ps1"
    ],
    "allowedExtensionsInUntrustedWorkspaces": [
        "ms-vscode.vscode-json",
        "ms-python.python",
        "ms-vscode.cpptools"
    ]
}

For enterprise environments, configure extension allowlists via Group Policy or configuration management:

{
    "extensions.autoCheckUpdates": false,
    "extensions.autoUpdate": false,
    "extensions.ignoreRecommendations": true,
    "extensions.supportUntrustedWorkspaces": {
        "ms-vscode.vscode-json": {
            "supported": true,
            "restrictedConfigurations": []
        }
    }
}

Verification: Open an untrusted folder - VS Code should prompt you about workspace trust and restrict extension functionality until you explicitly trust the workspace.

Warning: Trusting a workspace allows all extensions to execute code within that folder. Only trust workspaces containing code you've personally reviewed or from verified sources.
07

Implement Continuous Monitoring and Alerting

Set up automated monitoring to catch new vulnerabilities and suspicious extension behavior. Create a monitoring script that runs daily via cron or Task Scheduler.

Create a comprehensive monitoring script extension_monitor.sh:

#!/bin/bash

# VS Code Extension Continuous Monitoring Script
LOG_FILE="/var/log/vscode-security-monitor.log"
ALERT_EMAIL="security@yourcompany.com"
CURRENT_DATE=$(date '+%Y-%m-%d %H:%M:%S')

echo "[$CURRENT_DATE] Starting VS Code extension security monitoring" >> $LOG_FILE

# Check for new extensions
CURRENT_EXTENSIONS=$(code --list-extensions | sort)
LAST_EXTENSIONS=$(cat ~/.vscode-extensions-baseline 2>/dev/null || echo "")

if [ "$CURRENT_EXTENSIONS" != "$LAST_EXTENSIONS" ]; then
    echo "[$CURRENT_DATE] ALERT: Extension list changed" >> $LOG_FILE
    echo "New extensions detected:" >> $LOG_FILE
    comm -13 <(echo "$LAST_EXTENSIONS") <(echo "$CURRENT_EXTENSIONS") >> $LOG_FILE
    
    # Send alert email (configure sendmail or use curl with email service)
    echo "Extension changes detected on $(hostname)" | mail -s "VS Code Security Alert" $ALERT_EMAIL
fi

# Update baseline
echo "$CURRENT_EXTENSIONS" > ~/.vscode-extensions-baseline

# Run vulnerability scan
vscan analyze --all-extensions --output-format json > /tmp/vscan_results.json

# Check for high-severity findings
HIGH_SEVERITY=$(jq '.findings[] | select(.severity == "high")' /tmp/vscan_results.json)
if [ ! -z "$HIGH_SEVERITY" ]; then
    echo "[$CURRENT_DATE] CRITICAL: High-severity vulnerabilities found" >> $LOG_FILE
    echo "$HIGH_SEVERITY" >> $LOG_FILE
    echo "Critical VS Code extension vulnerabilities detected" | mail -s "CRITICAL: VS Code Security Alert" $ALERT_EMAIL
fi

echo "[$CURRENT_DATE] Monitoring complete" >> $LOG_FILE

Set up the cron job to run daily at 2 AM:

crontab -e
# Add this line:
0 2 * * * /path/to/extension_monitor.sh

For Windows, create a PowerShell version and use Task Scheduler:

# extension_monitor.ps1
$LogFile = "C:\Logs\vscode-security-monitor.log"
$CurrentDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss"

Add-Content -Path $LogFile -Value "[$CurrentDate] Starting monitoring"

# Get current extensions
$CurrentExtensions = & code --list-extensions | Sort-Object
$BaselineFile = "$env:USERPROFILE\.vscode-extensions-baseline"

if (Test-Path $BaselineFile) {
    $LastExtensions = Get-Content $BaselineFile | Sort-Object
    $Diff = Compare-Object $LastExtensions $CurrentExtensions
    
    if ($Diff) {
        Add-Content -Path $LogFile -Value "[$CurrentDate] ALERT: Extensions changed"
        $Diff | Add-Content -Path $LogFile
    }
}

$CurrentExtensions | Out-File $BaselineFile

Verification: Run the monitoring script manually first to ensure it works correctly. Check the log file for proper output and test email alerts.

Pro tip: Integrate this monitoring with your existing security information and event management (SIEM) system by formatting logs in JSON and sending them to your log aggregation service.
08

Create Extension Security Policies and Documentation

Document your extension security policies and create procedures for your team. This ensures consistent security practices across your organization.

Create an extension security policy document vscode-extension-policy.md:

# VS Code Extension Security Policy

## Approved Extensions
- ms-python.python (Python support)
- ms-vscode.cpptools (C++ support)
- eamodio.gitlens (Git integration)

## Prohibited Extensions
- Any extension with unverified publishers
- Extensions with known vulnerabilities
- Extensions requiring broad file system access

## Review Process
1. Security team approval required for new extensions
2. Monthly review of installed extensions
3. Immediate removal of flagged extensions

## Incident Response
1. Isolate affected systems
2. Document the incident
3. Remove malicious extensions
4. Update security policies

Create a team configuration file that can be shared via version control:

{
    "recommendations": [
        "ms-python.python",
        "ms-vscode.cpptools",
        "eamodio.gitlens"
    ],
    "unwantedRecommendations": [
        "ms-vscode.live-server",
        "shd101wyy.markdown-preview-enhanced"
    ]
}

Save this as .vscode/extensions.json in your project repositories. Create a security checklist for developers:

# Extension Security Checklist
pre_installation:
  - [ ] Verify publisher is trusted
  - [ ] Check extension permissions
  - [ ] Review recent updates and changelog
  - [ ] Confirm business need

post_installation:
  - [ ] Test extension functionality
  - [ ] Monitor system performance
  - [ ] Document installation in team tracker
  - [ ] Schedule review in 90 days

monthly_review:
  - [ ] Check for security updates
  - [ ] Verify continued business need
  - [ ] Review access logs if available
  - [ ] Update documentation

Verification: Share the policy with your team and ensure everyone understands the procedures. Test the incident response process with a simulated security event.

Frequently Asked Questions

How can I tell if a VS Code extension is safe to install?+
Check for a blue verification checkmark next to the publisher's name, indicating they've proven domain ownership and maintained good standing for 6+ months. Review the extension's permissions, check its GitHub repository for active maintenance, and verify it has regular updates. Avoid extensions with excessive file system or network access permissions unless absolutely necessary for functionality.
What should I do if I discover a malicious extension is already installed?+
Immediately uninstall the extension using 'code --uninstall-extension publisher.extension-name', then scan your system for any persistent changes. Check your VS Code settings.json for any suspicious configurations added by the extension. Review recent file access logs if available, change any credentials that might have been exposed, and report the extension to Microsoft through the marketplace.
How often should I audit my VS Code extensions for security?+
Perform a comprehensive audit quarterly, with automated monitoring running daily. Remove unused extensions immediately when identified, as each extension increases your attack surface. Set up automated alerts for new extension installations and vulnerability discoveries. Monthly reviews should check for security updates and verify continued business need for each extension.
Can workspace trust settings really prevent malicious extension behavior?+
Workspace trust provides significant protection by restricting extension functionality in untrusted folders, but it's not foolproof. Malicious extensions can still access global VS Code settings and user data. Combine workspace trust with publisher verification, regular audits, and automated scanning for comprehensive protection. Never trust workspaces containing code from unknown sources.
What's the difference between VSCan and OWASP Dependency-Check for extension security?+
VSCan specifically analyzes VS Code extension behavior, permissions, and code patterns for suspicious activities like unauthorized network access or file system manipulation. OWASP Dependency-Check focuses on known vulnerabilities in the libraries and dependencies that extensions use. Use both tools together for comprehensive coverage - VSCan for behavioral analysis and OWASP for known vulnerability detection.
Tags
#vscode#supply-chain-security#extension-security

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Deploy Phishing-Resistant Passwordless Auth in Microsoft Entra ID
tutorial
Cybersecurity

How to Deploy Phishing-Resistant Passwordless Auth in Microsoft Entra ID

Deep Dive
How to Configure Maintenance Windows in Microsoft Intune for Update Control
tutorial
Cloud Computing

How to Configure Maintenance Windows in Microsoft Intune for Update Control

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account