Generally considered secure, VS Code extensions could expose millions of developers to malicious attacks, potentially leading to the compromise of information stored on developer machines, such as credentials, or even opening the route to further attacks.

Snyk’s security researchers analyzed popular VS Code extensions that start web servers, which are typically accessible locally via a browser, and discovered that malicious actors could exploit vulnerabilities in the web server to target the developers using these extensions. The attacks demonstrated by Snyk only require the victim to click on a link.