Developers Are Victims Too : A Comprehensive Analysis of The VS Code Extension Ecosystem

TL;DR

This paper analyzes nearly 53,000 VS Code extensions to assess their security risks, revealing that a significant portion exhibit suspicious behavior and highlighting security gaps in the extension ecosystem.

Contribution

It provides a comprehensive analysis of VS Code extensions, identifying security threats and vulnerabilities in the extension ecosystem that impact developers and organizations.

Findings

~5.6% of extensions have suspicious behavior

VS Code lacks effective security controls for extensions

Untrusted third-party code runs unchecked in VS Code

Abstract

With the wave of high-profile supply chain attacks targeting development and client organizations, supply chain security has recently become a focal point. As a result, there is an elevated discussion on securing the development environment and increasing the transparency of the third-party code that runs in software products to minimize any negative impact from third-party code in a software product. However, the literature on secure software development lacks insight into how the third-party development tools used by every developer affect the security posture of the developer, the development organization, and, eventually, the end product. To that end, we have analyzed 52,880 third-party VS Code extensions to understand their threat to the developer, the code, and the development organizations. We found that ~5.6\% of the analyzed extensions have suspicious behavior, jeopardizing the integrity of the development environment and potentially leaking sensitive information on the developer's product. We also found that the VS Code hosting the third-party extensions lacks practical security controls and lets untrusted third-party code run unchecked and with questionable capabilities. We offer recommendations on possible avenues for fixing some of the issues uncovered during the analysis.