The extension chatgpt-china by WhenSunset was flagged by vscan.dev as critical risk since the trojan.corgi/malcorgi threatw as detected. The extension has 1.3 million users, posing a significant risk to each individual.

Microsoft only started really cracking down on malicious extensions relatively recently (<1 year ago).

Despite their best efforts, the marketplace is getting increasingly dangerous. The list published here is of malicious extensions that were discovered only after allowing them free reign on the marketplace - imagine how many are still out there.

Insecurity by JavaScript.

I published a paper to solve the "unrestricted access" dangerous VSCode Extensions have.

The paper outlines a 3-part automated system: 1. Risk profile VS Code Extensions 2. Generate per-extension sandboxing policies automatically 3. Enforce sandboxing at runtime without disrupting existing system

The goal was an extremely low-profile system that doesn't require additional software. This could be an important asset in the increasingly dangerous and unregulated VSCode extension ecosystem.

Btw, the risk-profiling section is an evolution of my free extension scanner vscan.dev. If you any questions about vscan.dev, you can reach out at vscandevteam@gmail.com.

Hm all the links seem to work for me on chrome. Could you let me know which specific link isn't working (is it just for that extension or for all extensions?).

I restricted it to one expanded at a time since more than one felt a bit crowded but that's something I might look into.

the main green button on every item

Thanks for the feedback. I am constantly trying to refine the scoring metrics to make sure that these popular extensions that often need high permissions aren't flagged as a lower score than they should receive. It is a bit difficult though as higher permissions do indicate a higher potential for abuse so its a balancing act. As for showcasing the vulnerabilities that's a good idea I'll definitely implement.

Thanks for the suggestion. I was thinking about making this into a chrome web extension that people can use on a marketplace page or even using MCP to make this tool really accessible for Cursor and Windsurf users.

As for the raw name, most extensions should work if you just put the display name. The search algorithm directly pulls from the vscode marketplace.

I have 70 extensions installed though. Turns out there is a cli flag to print them, though: "code --list-extensions"

If you update your UI to accept a "bulk analyze" mode where a list of newline extensions could be submitted and rendered out on a page, that would be pretty cool.

Oh yeah that's a really good idea. That would make it much easier for someone to use, though that many extensions would take a while. I would need to build up some more robust architecture before I could implement that.