Safe IDE Extensions: Key Triggers and Chunks to Watch for in Plugin Code

Background: Only looking into well-known attack patterns found in Chrome and other browser extensions is not enough. Since we work daily with IDEs, there is another potential attacker vector—malicious IDE extensions. In this scenario, we will discuss how to spot harmful chunks of code in IDEs, which uses the VSIX format for its extensions.

VSIX specificiation: VSIX is a documented extension format by Microsoft. Under the hood, many extensions are built using C#. Unlike Chrome's manifest system, which specifies and restricts access scopes, VSIX extensions do not have specific access scopes. This means a some IDE extension can potentially have full access to parts of your system, making it necessary to carefully examine their code and behavior.

Deliver method: VSIX extensions for Visual Studio Code and similar platforms are delivered through centralized registries.

Detection of code chunks from open-vsx.org: Similar to the case with Chrome extensions, risks can arise from abandoned URLs embedded within extensions, repositories, and other resources. To make our lives easier, we can spot such risks by following a few simple steps.

1. Download vsix from open-vsx.org
2. Extract the VSIX package and analyze it for any abandoned URLs.
3. For each URL used by the extension, make a call and check the status code. If the response is 200, the extension’s link is likely safe. If the response is not 200, focus on that URL, as it could indicate a risk or be a potential point of supply chain compromise.

Such checks can be automated, and as a result, you can use the findings to better control your risks.

Conclusion: The risks originating from IDEs are not the only concerns we need to be aware of as security specialists. However, we will discuss those areas in more detail in future articles.