Show HN: VSCan - Detect Malicious VSCode Extensions

Did you know that VSCode extensions run with full access to your system—including file system, network, and credentials? Worse, dozens of malicious extensions have already made it into the marketplace, silently compromising devices.

I am a security researcher and student developer who ran into this problem myself. To help tackle this, I built a 100% free tool (no login required) that scans VSCode (and Cursor/Windsurf) extensions for:

- Hidden malware and obfuscated code

- Dangerous permissions and API misuse

- Vulnerable dependencies and suspicious network connections

Users have already found hundreds of vulnerabilities in extensions. VSCan generates a clean, developer-friendly security report to help you understand what you're installing.

Try it out: https://www.vscan.dev

I have also developed custom sandboxing security architecture to restrict extensions from malicious activity during runtime. There is no existing technology that does this, so if you would be interested in trying it out or learning more, please reach out!

I would greatly appreciate any feedback and thanks for your help!

_______________________________________________________________________________

Here are some numbers as to what I have detected from a sample of 1077 extensions that are available on the Marketplace:

- 3 extensions are marked as malicious by VirusTotal - 7 extensions use malicious network connections (verified by VirusTotal) - 33 extensions have dependencies with critical vulnerabilities - 39 extensions have sensitive information (I have seen api keys, usernames, passwords, etc.) - 204 extension have poor development practices as marked by OSSF - 71 extensions have very high permissions (while not bad can be indicator of potential malicious activity)

As an example here is the link to an extension analysis with malicious network endpoints: https://vscan.dev/?analysisId=9e6c1849-3973-402b-a4ff-3b4023...


Comments URL: https://news.ycombinator.com/item?id=44371740

Points: 11

# Comments: 6

https://vscan.dev/

Vytvořeno 14d | 25. 6. 2025 0:50:05


Chcete-li přidat komentář, přihlaste se

Ostatní příspěvky v této skupině

Show HN: I built a tool to solve window management

Hello, my name is Andrew. I'm an indie developer and I'm excited to release Smart Switcher for Windows 10/11. I'm looking for feedback on the overall project and the application itself.

I built

8. 7. 2025 17:50:31 | Hacker news
Show HN: Sumble – knowledge graph for GTM data – query tech stack, key projects

I’m Anthony, co-founder/CEO of Sumble. I was previously co-founder/CEO of Kaggle. Sumble is my newco with Ben Hamner (former co-founder and CTO of Kaggle).

### What we built

Sumble is a knowle

8. 7. 2025 17:50:30 | Hacker news