Your IDE extensions have more access than you think. Understand the risks and protect your development environment.
Extensions can read all your source code, including credentials in config files.
Impact: Malicious extensions can exfiltrate your codebase, API keys, and secrets.
Extensions often have permissions to read/write anywhere on your system.
Impact: Can access SSH keys, .env files, credentials outside your workspace.
Extensions can make network requests without restriction.
Impact: Can phone home with your code, send data to third parties.
Some extensions can execute commands in your terminal.
Impact: Can run arbitrary code with your user permissions.
Extensions can capture credentials you type or store.
Impact: Git credentials, API keys, passwords can be stolen.
Look for verified badges. Check if the publisher is who they claim to be.
Attackers create lookalike extensions with similar names to popular ones.
Popular, well-reviewed extensions are generally safer. Read recent reviews for security concerns.
Be suspicious of new extensions with few downloads, even if ratings are high.
Does a color theme need file system access? Question unnecessary permissions.
VS Code shows requested permissions. JetBrains plugins declare capabilities.
Abandoned extensions may have unpatched vulnerabilities.
Also check if the extension is actively maintained on GitHub.
For critical extensions, review the source code if available.
Check what data is collected, where it's sent, what permissions are used.
Each extension is an attack surface. Uninstall what you don't use.
Regular cleanup reduces your exposure to compromised extensions.
Concern: Send your code to external APIs for processing
Mitigation: Review privacy policies. Use self-hosted options for sensitive code.
Concern: May learn from and store your code patterns
Mitigation: Check data retention policies. Disable for proprietary code.
Concern: Context includes your codebase and file contents
Mitigation: Be selective about what files are open when using AI.
Popular npm package used by VS Code extensions was compromised to steal Bitcoin wallet credentials.
Lesson: Supply chain attacks can propagate through extension dependencies.
Multiple malicious extensions found on VS Code marketplace designed to steal credentials.
Lesson: Even official marketplaces can host malicious extensions. Verify publishers.
Concerns raised about AI coding assistants sending code to external servers for processing.
Lesson: Understand what data your extensions send externally, especially AI tools.
Secure your development environment and scan your deployed applications for vulnerabilities and exposed credentials.
Free Security ScanNot automatically. Extensions have broad access to your system and code. While most popular extensions from verified publishers are safe, there have been malicious extensions in the marketplace. Always verify publishers, check reviews, and audit permissions before installing.
Yes. Extensions with the right permissions can access files (including .env, config files), capture terminal input, and make network requests. A malicious extension could exfiltrate credentials stored in your workspace or typed in the terminal.
For VS Code: Open Extensions panel, review each installed extension. Check: Is publisher verified? When last updated? What permissions? Does it have a GitHub repo you can inspect? For JetBrains: Settings > Plugins > Installed. Apply the same scrutiny.
AI extensions send your code to external servers for processing. This isn't necessarily malicious, but understand: your code leaves your machine, may be logged or used for training, and travels over the network. For sensitive code, consider self-hosted AI or disable these features.
Be suspicious when permissions don't match functionality: a theme needing file system access, a linter needing network access to unknown servers, any extension wanting terminal execution. Legitimate needs exist, but question extensions that seem over-permissioned.
Last updated: January 16, 2026