VSCan
Detect Malicious VSCode Extensions with AI
7 followers
Detect Malicious VSCode Extensions with AI
7 followers
Hundreds of malicious extensions are released on the VSCode Marketplace. VSCan analyzes these extensions to determine if they are malicious or vulnerable. Powered by LLMs, ASTs, and static analysis, it has already found hundreds of compromised extensions.
Did you know that VSCode extensions run with full access to your system—including file system, network, and credentials? Worse, dozens of malicious extensions have already made it into the marketplace, silently compromising devices.
I am a security researcher and student developer who ran into this problem myself. To help tackle this, I built a 100% free tool (no login required) that scans VSCode (and Cursor/Windsurf) extensions for:
- Hidden malware and obfuscated code
- Dangerous permissions and API misuse
- Vulnerable dependencies and suspicious network connections
Here are some numbers as to what I have detected from a sample of 1077 extensions that are available on the Marketplace:
- 3 extensions are marked as malicious by VirusTotal
- 7 extensions use malicious network connections (verified by VirusTotal)
- 33 extensions have dependencies with critical vulnerabilities
- 39 extensions have sensitive information (I have seen api keys, usernames, passwords, etc.)
- 204 extension have poor development practices as marked by OSSF
- 71 extensions have very high permissions (while not bad can be indicator of potential malicious activity)
The product worked really well for me. Was able to see how my own extensions faired.