I’m a big fan of customizing my VSCode setup — like most devs, I’ve got a bunch of extensions installed to boost productivity and improve my workflow.
But a recent report really caught my attention: several extensions that looked completely legit were secretly running malicious scripts behind the scenes.
What Happened?
Researchers found 10 extensions on the VSCode Marketplace that:
- Disabled Windows Defender
- Gained admin privileges via PowerShell
- Installed XMRig to mine Monero in the background
- Faked install numbers to look popular
- Disguised themselves as trusted tools like Prettier and Discord Presence
Some of these had over 900K installs — clearly meant to build false trust.
What This Means for Developers
It’s a serious wake-up call for all of us who rely heavily on third-party tools. Even trusted environments like VSCode aren’t immune to abuse.
Here’s how to stay safe:
- Don’t trust install counts alone — they can be manipulated
- Verify the publisher — check for an established history
- Avoid newly published extensions unless vetted
- Keep your system’s security settings enabled
Microsoft has removed the malicious extensions and blocked the accounts behind them. But this incident highlights a bigger issue: the need for better vetting and more awareness on our end.
👉 I wrote a full breakdown, including the list of affected extensions and how the attack worked.
Read it here
Top comments (0)