Ask HN: Is this VSCode extension malicious?

3 points by cloogshicer ↗ HN
I run a small programming YouTube channel and someone with a Gmail address asked if they could sponsor me.

They wanted me to review this VSCode extension[1].

Everything seems super dodgy: The extension only has 2 reviews, the linked repo[2] doesn't actually contain the source code.

I downloaded the sources from the extension marketplace, but the code is minified and obfuscated. I tried a de-minifier but the file is a few thousand lines long so it's hard to say if there's malicious code.

Is there a way to determine if this extension is safe to use? Simply installing it could give an attacker full access to my machine, right?

[1] https://marketplace.visualstudio.com/items?itemName=solomonkinard.git-blame [2] https://github.com/solomonkinard/public

3 comments

[ 4.5 ms ] story [ 19.9 ms ] thread
100% stay away from it.

I think a better question is: "How can you ensure any VS Code extension is safe to use?"

Understanding exactly what an extension does and getting clarity around how it operates is something that I'd like to better understand as well.

It makes me think that moving to other editors like Neovim might be a safer way to go, if Microsoft has created an environment where malicious plug-ins can operate.

Thanks, yeah, I def won't install it.

Looks like there are some calls to `fs` and `path`, so it's definitely reading the file system, which could be legitimate, but yeah hard to say.

Kinda wild that simply installing an extension can give the author full access and there isn't really a way to verify extension code.

I mean even if they had linked a repo that actually contained code, how can I know that the code from the repo is actually the same that gets downloaded when the extension is installed?

I obviously cannot vouch for the safety of this extension, but I'll just post this quote from the VS Code docs:

> The Marketplace runs a virus scan on each extension package that's published to ensure its safety. The virus scan is run for each new extension and for each extension update. Until the scan is all clear, the extension won't be published in the Marketplace for public usage.

Source: https://code.visualstudio.com/docs/editor/extension-marketpl...