21

How safe are extensions in visual Studio code?

Can extensions introduce malware?

Is safe to install any extension?

pkamb
  • 33,281
  • 23
  • 160
  • 191
raul isai monroy
  • 311
  • 2
  • 3

1 Answers1

18

They can contain malware, yes. When you download and run an extension, you are trusting it to do pretty much anything it wants with the permissions of your user.

VS Code does not implement sandboxing (like browsers do), and the code is not much restricted.

Having said that, a malicious extension would likely be uncovered pretty quickly. As these files are signed, a third party attacker has no easy way to modify an existing one, or somehow release a fake one, they would have to compromise the real developer first. Also many of them are open source (which btw is no guarantee the released version is built from the public source, but again, it is easy to check as extensions are just zip files).

So in short: extensions can in theory be malicious, but especially in case of well-known extensions, the likelihood of you getting a malicious version before others discover it and it gets removed is probably very low. On the other hand, extensions used by many people can be a nice target for sophisticated attackers, because security controls might sometimes be a lot more lenient than at the companies where those extensions are used.

TL;DR: only you can tell whether you want to accept the risk, which is not very high, but also not negligible, especially with smaller, niche extensions that get less thorough review by the community.

Gabor Lengyel
  • 14,129
  • 4
  • 32
  • 59
  • 1
    show how careless is VS code with user's security – Mohammed Shareef C Aug 07 '22 at 04:44
  • 5
    May I ask for a citation regarding "As these files are signed..."? [This issue](https://github.com/microsoft/vscode-vsce/issues/191) indicates that the Visual Studio Code Extension Manager does not support signing extensions. – DharmaTurtle Aug 31 '22 at 19:43